Contact Us Today!   314.394.3001   |   info@andersontech.com
Anderson Technologies
  • Home
  • Services
    • Overview
    • Managed IT Services
    • Cyber Security
    • System Administration
    • HIPAA Compliance Services
    • Ransomware Protection
    • Hardware & Software Consulting
    • Cloud Computing Services
    • Web Design
    • Anderson Archival
  • Industries
    • IT Support for Accountants
    • IT Support for Dental Offices
    • IT Support for Financial Services
    • IT Support for Architects and Engineers
    • IT Support for Manufacturing
    • IT Support for Nonprofits
  • Learn
    • What Are the Biggest Mobile Security Threats of 2020?
    • What Are Mobile Security Best Practices?
    • Battle of the Brands: Microsoft’s Office 365 vs. Google’s Workspace
    • What Does a Firewall Do for a Network?
    • How to Maintain Security When Employees Work Remotely
    • How to Protect Your Data from Ransomware
    • Comparing Mobile OS
    • What Is Phishing?
    • How to Identify Phishing and BEC Scam Emails
    • What Is MFA And Why Do I Need It?
    • How to Reduce Risk and Secure Your Internet of Things Devices
  • Training
  • Resources
    • Free Ebooks
    • Webinar: Cyber Security at Home: Protecting Your Business & Family
    • Newsletter Sign Up
  • About
    • About Us
    • What Our Clients Have To Say
    • Careers
  • Press
  • Blog
  • Contact
    • Contact Us
    • Free Consultation
    • HIPAA Services Inquiry
  • Help
  • Menu Menu

Posts

Byte-Size Tech: Essential Tips for Safer Online Shopping

April 2, 2021/in Data Security, How To, Video /by Marcia Spicer

 

HTTPS? SSL? Targot.com? What about those pop-up businesses that advertise on social media? Libby Powers and Marcia Spicer of Anderson Technologies break down some essential tips and potential problems to watch out for when shopping online. If you’re worried that your shopping or surfing habits have compromised your business, contact Anderson Technologies today.

 

Related Reading

  • 8 Steps to Safe(r) Online Shopping
  • How to Identify Phishing and BEC Scam Emails
  • Opting Out: Keeping Your Personal Data Private
Contact Us

 

Transcript

Libby Powers: Hi, everybody. Welcome to another episode of Byte-Size Tech. I want to introduce you to Marcia. Marcia is a team member that actually wears a lot of hats here at Anderson Technologies. In addition to being a member of our Archival team, she also helps build content for our website. In that role she’s done a lot of reading on cybersecurity scams, privacy, and online safety. I actually asked Marcia to come on Byte-Size Tech to talk to you about something everybody does these days: online shopping. Marcia?

Marcia Spicer: Hi, Libby. Online shopping isn’t something that we deal with on a regular basis at Anderson Technologies. That tends to fall outside of our sphere. But it is something that could affect your data privacy and could lead to a business breach. With so much of our lives shifting more and more online in the past year, that’s not likely to go away, it’s probably a good time to review a couple of tips. If you don’t do your shopping online, you might want to watch anyway, because some of these tips can apply to just about anything that you do online, so there will be a takeaway for you.

Libby Powers: Awesome. What do you have for us then? I’m excited to learn this.

Marcia Spicer: Okay, I’m sure you’ve got some tried and true shopping websites that you know, and you trust their name brands. You’ve had great experiences with them, but maybe you’re thinking about making a purchase from a new site for the first time. When you’re in that situation, it’s time to slow down. There are a couple things to look at.

First, you want to look at the website address. There are two big things to look for here. The first step is HTTPS. If you click on the address bar—it’s at the top of your web browser—you should be able to see the full address of the website that you’re on. This will either begin with an HTTP or an HTTPS. The HTTPS is what you want. This is a security standard that means that the site has SSL encryption installed.

Libby Powers: Oh, what’s SSL encryption?

Marcia Spicer: SSL encryption means that any information that you submit to the site—say, your credit card, for example, or your address, phone number—when you submit that to the website, it’s encrypted, or encoded, so that criminals that might be trying to eavesdrop on your traffic or gain access to the website, they can’t see that data and they can’t steal it.

Libby Powers: Okay, well, that’s a great tip. So look for HTTPS at the very beginning of the website, right?

Marcia Spicer: Yes.

Libby Powers: Well, what else do you have now?

Marcia Spicer: While you’re looking at your website address, you’ll want to carefully look at the whole address. You probably know what site you want to be on, and you want to make sure that that address matches that site. It can be something super close, but sometimes there is just a little bit off. Maybe you’re thinking you want to be at Target.com, and when you look at that website address, you see “Targot.com” or “Target.ra” or something that might not be the actual website. Something’s fishy.

Then there’s another type of website that’s sketch for shopping. These fun niche products pop up all the time on social media. I see them on Instagram and Facebook, I’ve got little kids, they know their audience. I saw this adorable little octopus stuffed animal, and I thought my daughter would just die. When I clicked through on the website…. Everything looked legit in the ad, but when I clicked through, I noticed that the octopus plush was the only thing they were selling. Sure, it was in different colors, but that was their only product. That’s the only thing that business did. So I had a little bit of doubt there.

Libby Powers: Hesitation?

Marcia Spicer: It’s time to look a little bit closer. As I’m kind of scrolling through the website, there’s messages popping up and throughout the website that says “Buy now! We’re almost sold out! There’s none left! We’re having a sale and you need to buy right now!” And for a lot of people, I think that would be like, “Oh yes, I’ve got to take advantage of this deal.” For me, since I’ve done so much reading, I took it as, “Hang on. They’re trying to get me to act quickly and not look closely.”

Libby Powers: To not pay attention, yeah.

Marcia Spicer: Right. If you do end up making a purchase from a shady site like this, you can risk having your data stolen. A lot of people never receive their package, or they receive something that’s a super cheap knockoff that doesn’t look anything like what they wanted to buy. They’re pop-up businesses, basically. They make their money from drop-shipping bad products from China [or] from other countries, the company can disappear overnight, you can’t make returns, you’re not going get a refund, you’re probably not going to be able to contact customer service—all around just not a great experience for you. Sometimes you can even look up the same product on a site you do trust or just a search engine, and you can find something really similar but it’s from a trusted site.

That octopus plushie? I did a quick search for it, and I found the exact same product on a site that I used before. It had a lower price, it had normal shipping rates, it wasn’t anything while that they were trying to railroad me for money, there was none of the “You’ve got to buy it right this second” messaging, so I felt a lot safer going through with that purchase.

Libby Powers: You know, something that you say is the “Buy now” messaging, and I think you’re spot on with that, because it’s psychological for people to feel like they’re missing out on something. And those ads are everywhere: They’re on Facebook, they’re on LinkedIn, they’re on every social media platform you could think of. I think of the phrase “Too good to be true.” That’s such an important thing to have in mind when we do anything online.

Marcia Spicer: Exactly. And that message is going to apply to any site that you visit. When you’re looking for that HTTPS, know that that S, that SSL encoding, is standard. Every website you visit should have that HTTPS at the beginning. And even if you think you’re where you want to be, take a moment to double check, because a lot of times those promises of things that are too good to be true are so tempting that we just got to pump the brakes just a little bit and take a moment to look at the surroundings online.

Libby Powers: I really appreciate you sharing these tips. I think you probably have more tips that you could share because online…everything is online, our entire lives are online. What we can do to protect our information is really important. We’ve got to do our due diligence.

Marcia Spicer: That’s so true. I’ve got more tips if you’ll have me back for more videos.

Libby Powers: Of course. And if you’re concerned that dodgy online shopping habits have given access to the wrong people, then give us a call. Thanks so much. Have a great day.

Marcia Spicer: Bye.

Learn: Battle of the Brands: Microsoft’s Office 365 vs. Google’s Workspace

February 4, 2021/in How To, Managed Services, Technology Alert /by Marcia Spicer

Microsoft and Google are two of the most common technology foundations. Which one you choose can fundamentally change the way you and your employees operate. The decision is a big one and will impact your company for years to come.

Microsoft Office 365 vs. Google Workspace

Opting Out: Keeping Your Personal Data Private

February 3, 2021/in Data Security /by Andrea Glazer

What does your phone know about you? What about your email or your browser? What can strangers—or scammers—find out about you with a quick search?

This is called your digital footprint, and for the security- or data-conscious consumer, this is old news. What might not be old news are the many ways to be aware of, change, and erase parts of your personal and professional data footprint.

Some parts of your digital footprint are visible to everyone. Think about what appears when you run your name through a search engine. Some information is public and accessible to someone willing to dig. This might involve cross-referencing screen names, email addresses, and photos. Other aspects of your footprint are locked within a service such as a search engine, social media account, or browser. The risk in this part of your footprint lies in how an app or service uses your data and if that data is susceptible to breach.

There is a lot you can take control of on your own with a few clicks, if you know what to look for. The information below isn’t meant as an all-encompassing guide. For questions connected to your specific technological setup, you’ll need to contact your IT support provider.

Phones and Tablets

Our phones have become our constant companions, connecting us to so many of the ways we interact with the world. Most Americans use Apple iOS or Android devices, and there are a lot of ways to tweak digital footprints on these devices, but for those dedicated to security, there are other options.

What are the differences between Apple and Android? And can third party OSs compete? Learn about the pros and cons of each type of device.

A good general rule across all operating systems is to disable Bluetooth and Wi-Fi connectivity unless you are actively using them. Bluetooth can be used to query your device’s location and even sneak malware right under your nose. Never connect to unsecured Wi-Fi networks, and definitely don’t access sensitive information over those connections. Avoid using Wi-Fi provided by companies or organizations you aren’t familiar with, even though it can be tempting to check your email over lunch.

Take a close look at the permissions you’re giving to each app on your phone. Apple’s most recent updates are making this easier by directly stating the permissions for each app and allowing for granular control. Does your favorite mobile game need access to your camera or photos? Probably not! And if the app doesn’t function without that access, it is time to find an alternative app.

Android phones also make it clear what permissions you’re granting to a given app when it’s installed. You can also check per-app, and then delete or modify those permissions if necessary.

The latest headline in mobile security issues involves zero-click hacks of iPhones. There’s nothing security-conscious users can do at the moment, aside from noting any bizarre behaviors and continuing to exercise caution regarding sensitive information that is stored on or accessed by a mobile device. But this venue of attack seems to be on the rise. Installing OS updates as they roll out may be an effective deterrent to these attacks.

Email

Divide and conquer. Designate separate emails accounts for separate purposes and don’t cross the streams. Don’t mix work and personal accounts, despite how tempting it may be! These two accounts are often approached with different security considerations and different contact lists. Beyond data gathering by email clients, email itself can increase risk to all of your cyber connections due to the abundance of phishing emails.

Gmail

Your personal email can often be a heavier load on your digital footprint than your professional account. It is only human to occasionally let the security vigilance expected at work lapse during off hours.

Google has made clear they plan to roll out new privacy measures soon. These options will not only allow users to turn off features like smart reply but also to opt out of allowing their usage data to feed the algorithm used to make these features stronger.

While we wait for these changes to roll out, take a look at the privacy controls that already exist. If your Gmail account is tied to a Chrome browser login, those privacy controls can seriously impact the ads you see, the history that is logged, and what information is tied to your account for Google’s services. It may be wise to log out of your Google account before using services like the search engine or Google Maps.

Any account you log into can allow parties to track your browsing history. Check the settings of your email, social media, and even browser extensions before remaining logged in while browsing the web.

Outlook

If you’ve been receiving “Your Daily Briefing” from Cortana and feel uncomfortable about your emails being read by AI, rest assured security is still in mind. According to Microsoft, Cortana meets the same rigorous security standards of Outlook itself. Information for these emails is stored only in that specific user’s mailbox. Cortana data is never reviewed by humans unless specifically requested by the person who owns that data. If the service isn’t helpful or continues to make you feel unnerved, it’s easy to unsubscribe from the emails, and even turn off Cortana’s search assistance in other aspects of your Microsoft account.

Regardless of what email service you use for personal or enterprise use, make sure that passwords meet best practices. Check Have I Been Pwned to see if previous (or current) accounts and passwords have been disclosed in any data breaches. Use different passwords for different email accounts, and don’t use those same passwords on other accounts or services.

Social Media

Facebook

Facebook is an incredible example of the sheer amount of data we hand over in exchange for free services. It is somewhat unique in the massive scope and importance Facebook places on finding new ways to gather and profit from your data.

The most basic setting you should consider is whether your profile is public or “friends only.” Who can post on your wall, tag you, search for you, or add you as a friend? Once you lock down your account, or at least continue with the knowledge of these settings, it is time to set aside an hour or so to really dive into Facebook’s settings and marvel at the apps and sites you’ve (often unknowingly) given access to, the profile of information Facebook has gathered on you based on your activity, and the browser data Facebook collects while you’re logged in.

Explore your Settings & Privacy, and drill down into each aspect, including Ads shown off Facebook and the tracking of your Off Facebook history. Consider designating a Legacy Contact—someone who will gain control of your account if something happens to you.

There are a lot of options to explore, and your decisions about these options will differ from everyone else’s, but do take the time to review them.

Other Platforms

What information is required just to sign up? Has the platform had data breaches in the past? If paid, what organization is receiving your money? If free, what data and tracking are you giving away in exchange for using the service? Can you adjust who can see the content you post? In the Terms of Service, does the platform reveal that they claim ownership of everything posted there?

Browsers

It is a good idea to know how much history and website data your browser holds at any given time. Using Private Browsing, Incognito, or similar private windows can help to control the flow of information, and each browser offers some degree of control over what data and how much of it is saved.

Safari

The Privacy & Security section has an option to prevent cross-site tracking, which will prevent those annoying re-marketing ads from sites you visit but don’t buy from. Help yourself identify shady websites by turning on Fraudulent Website Warning.

Chrome

Your Chrome browser is most likely tied to your Google account. One benefit is that all of the tracking, ad settings, and user profile data is in one place. However, Google, Gmail, and Chrome default to a significant number of trackers, build detailed user profiles, and allow for tailored ads. With settings reviewed and extensions restricted, Chrome can be a powerful and safe browser for those watching their digital footprint, but out of the box it probably knows more about you than you’d like.

Edge & Firefox

These browsers come with default settings that block many trackers and ads, making them recommended by many security professionals.

Other Browsers

Many of the less popular (in terms of sheer number of users) browsers do offer a stricter, more security-conscious approach to browsing the web. Always take the time to review the privacy and security settings for whichever browser you use, whether on your computer or mobile device, and whether for casual or professional use.

Advertising & Other Tips

Adblockers

Adding an ad-blocking extension is the only way to truly eliminate advertising in your digital life, but you should know that it can reduce functionality for some sites. Many sites cover costs with advertising, and may be not be accessible while an adblocker is in use. Be careful to use known and trusted developers when choosing these extensions. Malware can come disguised as legitimate plugins and extensions. Even if the program isn’t malware, you are still allowing any extension you add to view your data. You may be giving up some privacy in exchange for the service, so weigh the benefits before adding an adblocker.

Trackers

Safari, Firefox, and Brave browsers all alert users when websites are using trackers. Some trackers are used to boost web performance. Others are intended for serving ads and could even be seen as invasive depending on how you feel about privacy.

Search for Yourself

While you are taking control of the information that browsers, email clients, and trackers gather about you, it’s important that you don’t forget about the information you share willingly, now or in the past. In a variety of search engines, take a moment to search for your name, any previous names or aliases, and even details like your phone number or address. Seeing the amount of detailed information available publicly online—much of which that you didn’t choose to share—can be frustrating.

If searches result in expired accounts, regain access and modify or delete the account. If a search reveals information that you want deleted—perhaps a youthful blunder or something you wrote that you no longer believe—you can query the hosting site and ask for removal. This can have mixed results, or often none at all, so when you spot something you can’t get rid of, focus on providing real and accurate information where you can. Update your LinkedIn profile, or create a simple website that identifies who you are and what you stand for. Don’t address or bring up other less flattering search results unless asked directly about them.

In the worst-case scenario, something pervasive is muddling your entire digital footprint. In this case, using a reputation or deletion service is understandable, but still may not be able to provide perfect results.

The Bottom Line

Shoshana Zuboff, author of The Age of Surveillance Capitalism identifies people, and our behavior, as the fodder tech feeds on.

“Businesses want to know whether to sell us a mortgage, insurance, what to charge us, do we drive safely? They want to know the maximum they can extract from us in an exchange. They want to know how we will behave in order to know how to best intervene in our behaviour,” she says, in an interview with The Guardian.

Users of technology, social media, and Internet of Things devices need to understand that, while our digital footprint can be adjusted, our data is, according to Zuboff, the primary currency.

Does this mean that you need to throw away your phone, your Fitbit, your computer in order to maintain your privacy? That is going to depend on the way you feel about the exchange of data for service.

The push and pull of privacy vs. convenience and connection is not going away any time soon.

Overall, the process of managing your digital footprint can be time consuming, and even costly, especially if you are starting the process for the first time. For the majority of users, the quicker process of toggling settings and hitting unsubscribe may be enough to satisfy the privacy itch until the next update or news story. But for the truly security conscious, it may be worthwhile to contact your IT support provider for additional tips specific to your situation.

If you’re looking for additional guides about your digital footprint, check out

  • My Digital Footprint
  • How to Erase Your Digital Footprint
  • iPhone Privacy: 2021 Edition
Contact Us

Learn: How to Reduce Risk and Secure Your IoT Devices

December 2, 2020/in Data Security, How To, Technology Alert /by Marcia Spicer

Internet of Things (IoT) devices provide a service to the user, but also provide a glut of information for developers. Developers state that the information collected is a tool for honing services and enhancing user experience, but this information is also worth a lot of money to them for ad targeting and consumer behavior patterns.

Learn How to Make Smart Investments in IoT

A New Browser from Microsoft

April 22, 2020/in Data Security, News, Technology Alert /by Marcia Spicer

Here’s what might make it worth the download.

Since Internet Explorer hit peak saturation in 2003 with 95% of market share, Microsoft has been in a bit of a browser rut. Mozilla Firefox usage hit its peak in 2009, and the other major competitor, Google Chrome, is the current favorite with 69% of market share as of December 2019. But Microsoft’s new Edge browser could stand to upset that balance.

Built on open-source Chromium (originally developed by Google for their Chrome browser, and also a base for Opera), the new Edge, released January 15, 2020, offers almost all of the benefits of Chrome, as well as a few additional features.

Initial user feedback is in, and the new Edge could be a game changer in the browser wars.

What Makes Edge Chromium Stand Out?

Speedy and Resource Efficient: Though Edge is built on the same open source code as Google Chrome, its speed is significantly faster, even with multiple active tabs. It uses less RAM than the notoriously resource-hungry Chrome. For users maximizing efficiency and speed, the new Edge could make a difference in workflow. Browsing the web shouldn’t slow down other functions, and Edge makes that absolutely clear. Even the initial setup (with a profile imported from Microsoft or another browser) is almost instantaneous.

Built-In Security: Microsoft has developed a new feature called SmartScreen to aid in protecting users from reported phishing and malware websites. The new Edge comes with SmartScreen enabled, which displays a warning when users try to navigate to dangerous sites or download suspicious files.

Privacy as a Rule: Have you ever visited a website and then been bombarded with ads for their services on every other site you visit in that session? Trackers make these remarketed ads possible, and the new Microsoft Edge is designed to block them. Trackers capture information about users and how they interact with sites. They then relay that information to the site, connect it to social media accounts, and loop in ad servers. Users can select their level of protection, but all levels also block harmful trackers, like those involved in cryptojacking. While Firefox already offers this service, Chrome does not.

With such a focus on privacy, it’s no surprise that Edge meets the new industry standard with their InPrivate windows offering the same functionality as Incognito in Chrome or Private Window in Firefox. Edge also comes with pop-ups, redirects, and ads all blocked as the default.

Compatibility: Edge offers integrations with Azure Active Directory and Office 365 by IT administrators. Granular control over updates and group policy objects customize the browser for business needs. This feature, if fully utilized, could enable users to search internal company servers through their Edge browser instead of Windows Explorer.

Extensions: In addition to the growing library of Edge-specific extensions in the Microsoft store, Edge also works smoothly with most, if not all, existing Google Chrome extensions. Users focused on privacy and security can add another layer of protection to those already built into Edge.

Applications: When run on Windows 10, the new Edge provides the option for users to run websites as apps. Once set up, these apps are accessible through the taskbar or as desktop icons, and they cut down on running multiple tabs within the browser. This feature is especially useful with sites that a user might want to keep running all day, like Twitter or a time tracking application.

 

For users tied heavily to Windows OS and other Microsoft services, Edge adds functionality without adding load time and RAM. Microsoft does warn that Chrome users who integrate with Gmail may experience some incompatibility in the new Edge landscape; however, users overwhelmingly report that this hasn’t been an issue. Ultimately, the use of one browser over another often comes down to preference, but there are no major flags that should prevent users from including Microsoft Edge among their options.

Need help choosing a browser to roll out for your employees or finding which privacy features will best enhance your work? Contact the technology experts at Anderson Technologies at 314-394-3001 or info@andersontech.com with all of your questions!

Contact Us

Working from Home Due to COVID-19: Keep Your Company Data Protected

March 19, 2020/in Data Security, Managed Services, News /by Marcia Spicer

Over the past weeks, we’ve worked with many of you to add or increase your work-from-home capabilities as a result of the COVID-19 pandemic. This move not only helps keep our coworkers safe but also our families and the greater community. As our team burns the midnight oil to do our part, our thoughts and prayers go out to everyone affected by this international crisis.

To better assist your work-from-home goals, please be mindful of the dangers of and best practices for remote work.

While social distancing is critical, we must also recognize the risks a remote workforce poses and be vigilant to keep our systems secure. Remote work immediately increases the vulnerability of your company’s cyber security. Suddenly, we’re no longer at one office location with multi-layered security measures in place.  Our surface of attack is exponentially spread into homes that aren’t equipped with enterprise-grade firewalls and onto personal computers that may already be compromised (studies estimate that 1/3 to 1/2 of home machines are).

COVID-19 Scams

Taking advantage of the interest and coverage of COVID-19, cyber criminals are using new tactics in their phishing and malware attacks. Fake coronavirus websites, often with legitimate information from trusted sources, are being created to spread malware. New phishing emails and clickbait links using similar messages are also spreading. Do not trust COVID-19-themed emails, even if they appear to come from governmental sources. If you receive one and think the information may be worth clicking, go instead to the organization’s website. Any official, legitimate updates will be included there.

Avoid falling victim to one of these scams. Follow basic phishing prevention as we’ve explained in our learn page and phishing quiz, and always go to official government sites for coronavirus information.

  • Centers for Disease Control Coronavirus Information
  • Interim Guidance for Businesses and Employers

As with all phishing attempts, never open attachments or links in unsolicited emails. If you know the person who sent it, confirm with them that the email is legitimate first, preferably by means other than email as responses can be faked. When searching for coronavirus information, hover over the link before you click and make sure the URL matches the source it appears to be in search results.

Maintaining Confidentiality

Working from home presents unique challenges to the privacy of your work, but your company’s confidentiality policies and contracts remain in effect no matter where you are. This is especially important if you are subject to HIPAA or other governmental regulations. Keep up to date with all regulatory changes made to accommodate the novel coronavirus situation.

  • SEC Coronavirus COVID-19 Response
  • Health and Human Services Coronavirus News

There are measures all remote workers should follow to protect the confidentiality and security of their work space while in a home environment.

  • Always lock your screens when you step away from the computer to keep curious children (or pets) from wreaking unintentional havoc.
  • Work in your own room or create a space away from other members of your household. The space should be isolated enough to avoid onlookers and to conduct work conversations without being easily overheard.
  • When using a company-owned device, keep it locked or turned off whenever you are not with it, and never allow others in your home to use it for any reason.
  • If using a personal device for work, create a separate, password-protected user profile to access company data from. Do not allow others to use this profile.
  • Keep any work papers or confidential information in a safe, preferably locked, place.

Home Network Performance

Home networks, including your internet service, are typically not as reliable as your office IT systems. With the additional load of millions of users across the nation trying to do the same things you are, you will likely face performance issues when working from home. Since home internet often isn’t as fast as your work connection, video conferencing may flake out and remote connections to your office network or devices may lag. The more people taxing your internet with activities such as online learning, streaming, gaming, or video chatting, the more likely you are to have performance issues.

Due to the increased need for high-speed internet to accommodate the sudden influx of both home-based work and schooling, some internet service providers (ISPs) are offering additional speeds for those with no or limited internet access at no extra cost. Others are removing data caps and related fees for those on fixed data plans. If you think you might qualify, contact your ISP for more information.

Home Network Security

Performance isn’t the only potential issue with a home network. Security is a big concern when connecting to the office network from home. Besides the obvious security measures such as having patched, up-to-date computers with strong anti-virus/anti-malware protections, here are a few more tips to securing your home network.

  • Update router firmware if needed.
  • Make sure Wi-Fi has WPA-2 or higher encryption with a strong password (not the default).
  • Update firmware in all IoT (Internet of Things—smart thermostats, cameras, etc.). IoT is often more vulnerable to attack and has been used to infect home networks.
  • Never use default passwords on any internet-connected device.
  • Remove or deactivate all browser extensions not necessary for work. They might seem helpful, but many have tracking embedded in them and some are vehicles for malicious code.
  • Use multi-factor authentication (MFA) whenever available.

Training & Communication

While knowing how to spot phishing and social engineering attacks is essential to network safety, that’s not the only kind of training those who work from home should receive.

Review relevant security and office policies and ensure that you know who to contact if an issue arises. What problems can be resolved by office staff or a coworker, and what problems need to go to IT experts? Work efficiency will suffer if you continually contact the wrong people to resolve your problem. Consider partnering with another team member to check in about potential suspicious activity or emails before reaching out to an IT professional. You may not be alone in experiencing an issue or threat.

 

We’re already taxing our systems and IT personnel; don’t give criminals the edge. Be even more vigilant at home. It’s easy to become relaxed in your own space, but those with malicious intent are also working overtime to capitalize on our situation.

Contact Us

The Ultimate Guide to Secure Remote Work [Updated for 2020]

March 12, 2020/in Data Security, How To /by Marcia Spicer

With the coronavirus in the news, more businesses than ever are considering whether telework is a viable option for their company and employees. But with new cyber threats and data breaches constantly reported, business owners have to ask themselves,

How do I maintain my cyber security when my employees work remotely?

Whether you have one employee working on a mobile device while on a business trip or your entire staff telecommuting from home, your cyber security shouldn’t be sacrificed for convenience. By understanding your options and working with a quality IT services provider, you can safely navigate the cyber world and keep your business protected.

Get Our Free Work From Home Checklist!

Cyber Security and Telework

Maintaining your cyber security while allowing your employees to work remotely can be a challenge, but it can be accomplished with minimal risk if you plan ahead and choose the right options for your business. If you don’t expect someone to infiltrate your network, you won’t be protected when someone tries. Always prepare for the worst-case scenario.

Assume that communications on external networks, which are outside the organization’s control, are susceptible to eavesdropping, interception, and modification.”—Guide to Enterprise Telework, Remote Access, and Bring Your Own Device (BYOD) Security (NIST 800-46r2)

How Do You Prepare for Telework?

Start by choosing the best telework option for your business’s needs and budget. There are four basic ways to secure your network while allowing remote access to employees.

  1. VPN Gateway:  Virtual Private Network (VPN) gateways create secure access from the employee device to the VPN gateway and onward to your internal network. In this way, your enterprise-level cyber security measures are extended to the VPN, which acts as a secure tunnel for employees to work through. Some VPN gateways can even extend your business’s firewall rules to the employee computer no matter where they are working through the use of a portable device—a great advantage when travelling on business.VPN gateways offer several great telework features, but while communication is protected through a VPN gateway, the employee’s computer could still be at risk of transmitting infected data if the computer itself is compromised. VPN gateways should only be used in conjunction with properly configured, company-owned hardware to maintain high security standards and minimize the risk to the internal network.
  2. Portals:  In this method, telework employees access company data and applications through a browser-based webpage or virtual desktop. All applications and data are stored on the portal’s server and cannot be downloaded or saved on an employee’s device without permission. This is a good way to keep control over who is accessing your data and how it is used.The danger with portals depends on what permissions the employee has while accessing the portal. If the portal allows an employee to access other areas of the internet while connected, it could provide an unintended avenue for criminals to access your network. It’s safer to restrict employees’ access to other programs while the portal is in use. The more access an employee has, the less secure the connection becomes.
  3. Remote Computer Access Service:  Remote computer access services allow an employee to remotely control a computer physically located at your business via an intermediate server or third-party software. When the two computers are connected, applications and data remain on your office computer, and your network’s cyber security measures are enforced. Your remote device acts as a display for the work performed on your office machine.Due to the direct access, remote desktop connection is considered high risk in cyber security terms. Proper configuration is critical. When set up correctly, communication between the two computers is encrypted for the data’s protection, but it is also encrypted from the organization’s firewalls and threat detection. No matter how good your cyber security measures are, if the employee’s home computer doesn’t have the same protections as the office workstations, malicious data can slip into your network unnoticed during a remote desktop connection.
  4. Direct Application Access:  Direct application access is probably the lowest risk to your cyber security measures out of all the remote access methods because it is best used only with low-risk applications. In this method, employees can remote into a single application, usually located on the perimeter of your network, such as webmail. The employee doesn’t have access to the entire network, allowing them to work on select applications without exposing your internal network to danger.Though there is much less danger posed by direct application access, it generally doesn’t allow for extensive work to be done. There is very little connection to data on your network, and little ability to take data to another application if needed. It is best used when traveling or on a mobile device where complete access to the network is not necessary.

The type of telework you offer may also depend on governmental regulations requiring a certain level of security. Those working in the healthcare sector should consult with their HIPAA Security Officer to make sure any telework is performed according to HIPAA guidelines.

Using company-owned and maintained hardware is the best option when working from home or on the go. Properly-maintained company laptops reduce the risk of unpatched or out-of-date software connecting to your network and often have more robust anti-virus/anti-malware protections than personal computers.

For many small and medium businesses (SMB) though, providing all employees company devices is not financially feasible or practical, especially if the need for remote work is temporary. The best choice for SMBs is either establishing a site-to-site VPN connection or using a secure remote desktop service to connect to their office computer. SMB should be aware of and willing to accept the added cyber security risks of using personal devices before implementing this type of work-from-home policy.

Are you looking for a partner in implementing work from home for your small business or organization? Contact Anderson Technologies today for a free cyber security audit or to start the consultation process!

Mobile Devices

Telework isn’t the only way employees access your network. Mobile devices have become ubiquitous for work on-the-go, but if you fail to protect these devices, your business and clients may suffer. There are basic security recommendations for securing any mobile device, including thorough employee training in cyber security, strong encryption, keeping software up-to-date, and supplementing your security with third-party anti-malware/anti-virus software. While these fundamental methods keep the average device secure, if you’re dealing with sensitive or confidential data on your network you may need additional safeguards.

Given the similarity between the functions of mobile devices, particularly as they become more advanced, and PCs, organizations should strongly consider treating them similar to, or the same as, PCs.”—Guide to Enterprise Telework, Remote Access, and Bring Your Own Device (BYOD) Security (NIST 800-46r2)

NIST’s Guide to Enterprise Telework offers detailed suggestions for protecting any business when it comes to mobile and telework access, including:

  • Turning off networking capabilities (such as Bluetooth) when not necessary for work.
  • Turning on personal firewalls, if available.
  • Requiring multi-factor authorization before accessing your business’s network.
  • Restricting other applications allowed on the device.

Since loss or theft of hardware is far more likely with mobile devices, it is beneficial to use a mobile device management (MDM) solution to maintain control of a mobile device in case of theft or accidental loss. With an MDM, you can locate, lock, or remotely destroy any data on the mobile device. This way your sensitive information won’t fall into the wrong hands, even if the device itself can’t be recovered.

Best Practices for Maintaining Cyber Security

Regardless of the type of remote access you decide on, there are a number of opportunities to shore up your cyber security defenses:

  • Establish a separate, external network dedicated solely to remote access. If something does infect the server, it won’t spread to other parts of your network.
  • Establish a site-to-site VPN connection or use a secure remote service.
  • Use encryption, multi-factor authentication, and session locking to protect your data.
  • Keep your hardware and software patched and updated, including your employees’ remote computers.
  • Enforce strong password policies and have employees use a password manager.
  • Set up session time out on all teleworking connections and automatic screen locks on all computers.
  • Manually configure employee computer firewalls and anti-malware/anti-virus software.
  • Add additional security authentication layers to company data on mobile devices.
  • Set up restrictions to keep unknown or unnecessary browser extensions from being installed. Many have tracking codes the user doesn’t know about, while others are used to spread malware. Stick with trusted and needed browser extensions only.
  • If possible, physically secure computers with locking cables in any untrustworthy place, such as hotels or conference areas.
  • Consider providing company-owned devices for employees to use that can be maintained and secured by in-house IT-staff or your MSP.
  • Consider end-point detection and response or remote access logging to monitor what is happening on your IT systems.

Regardless of how many security protections are used, it is simply impossible to provide 100 percent protection against attacks because of the complexity of computing. A more realistic goal is to use security protections to give attackers as few opportunities as feasible to gain access to a device or to damage the device’s software or information.”—User’s Guide to Telework and Bring Your Own Device (BYOD) Security (NIST 800-114r1)

Privileges, Privileges, Privileges!

No telework operation should ignore the danger of not setting the correct privileges on employees working from home. This step is essential to maintaining a secure, partitioned IT environment.

Implementing accurate and reasonable privileges provides two major benefits to your company.

  1. It keeps employees from accessing data or programs that they shouldn’t have access to.
  2. It keeps cyber criminals from infiltrating your entire network through a single compromised machine or account.

There is no reason a sales rep needs the same access to your company data as the CEO, so why would you give them unrestricted access? Job-specific privileges keep company data safe from insider infiltration while providing each employee with the tools and data necessary to complete their work. The Zero Trust IT model utilizes segmented permissions as the core tenet of its security architecture.

When creating user privileges, keep in mind:

  • Never allow users admin access. The only people who should have admin access to your systems are the IT personnel who maintain them, and even then, they should use an admin account only when performing work requiring it. All users should have a standard, limited user account that cannot alter system settings or privileges.This is especially important when employees work from home on their personal computers. Without the security of an enterprise hardware firewall and business-grade cyber security protections, employees’ personal computers are at a higher risk of being compromised. If their computer is infected and they have admin level access, cyber criminals can use that unrestricted access to infiltrate your entire system, change permissions, and steal or encrypt data for ransom.
  • Need-to-know access only. It takes a bit of technical know-how to set up appropriate user access privileges, but it’s worth the effort. Besides keeping data secure within the company, segmentation of privileges also means that if a computer is infected with malware or an employee account is compromised, the access cyber criminals have to your company and its data remains limited.
  • Use multi-factor authentication. It’s not enough to limit permissions, you need to verify the person signing in is who they say they are. A quick visit to Have I Been Pwned will show how many accounts are already compromised. Multi-factor authentication prevents a compromised account from being used by cyber criminals to access your systems. While security tokens and third-party authenticator apps like Yubikey or Google Authenticate are preferred, any type of multi-factor authentication (email, SMS) is better than no authentication.

Training

Employees need to know more than just how to use the telework programs. Train your employees on cyber security before they go home to work. This is especially crucial if they use their personal computers to telecommute.

Employees should know how to spot and respond to unusual computer activity, which can be an indicator that malware is present. They should also be prepared for phishing and social engineering attempts to gain user account access. Train them on who to contact for IT support and how to verify the person asking for access to their computer is the correct person.

Your employees’ home computers will be the weakest link in your cyber security, so verify they know how to keep their computer safe and how to securely access your systems. Doing so protects them and your business from malicious actors.

 

Telework comes with risks, but with strong security policies and the right cyber security in place, it is worth the investment. A good managed IT services partner can walk you through the process and make sure your business is safe and productive anywhere. For help setting up a telework network, contact the experts at Anderson Technologies by email at info@andersontech.com or by phone at 314.394.3001.

Looking for more guidance on how to keep your work from home systems secure? We’ve got some essential tips on a new blog post, “Working from Home Due to COVID-19: Keep Your Company Data Protected.”

Contact Us
Cyber Security St. Louis Ransomware Small Business

Ransomware as a Service: When Criminals Mimic Corporations

February 20, 2020/in Data Security, Technology Alert /by Marcia Spicer

When you imagine cyber criminals planning ways to infect hundreds of thousands of computers, you probably don’t picture sophisticated marketing operations and software licensing, but you’d be surprised. The black market on the Dark Web is much like any other online store where you purchase goods, only its products are more nefarious. Cyber criminals copy the techniques used by corporations to increase profits by authoring and distributing ransomware-as-a-service (RaaS). RaaS enables less tech-savvy cyber criminals to quickly set up shop, and often includes “customer support,” easy-to-use dashboards, and guides on how to most effectively distribute ransomware onto victims’ machines.

The RaaS Business Model

This is not a recent development. RaaS has been used since 2016, and has proved to be a lasting business model for cyber criminal organizations. These organizations utilize modern marketing and corporate strategies to get their “customers” to choose their ransomware services over other offerings on the Dark Web.

How Does RaaS Work?

In a traditional software business model, a user pays a one-time fee to buy a license for a specific version of the software outright. There are no other costs throughout the life of the software, but if the user wants to upgrade to a newer version, the software must be purchased again. But being required to buy each new version that’s released can be financially impossible for some consumers. That’s where software-as-a-service (SaaS) comes in.

With SaaS, the user can “rent” the software for a monthly fee, giving the user the most current version of the software at a greatly reduced upfront cost. But unlike traditional software purchasing, if the user ends their subscription, they lose access to the software.

On the Dark Web, RaaS utilizes both these business models. Instead of a bad actor authoring and distributing their own ransomware onto victims’ computers, cyber criminals pay for someone else’s ransomware strain. This allows even those who don’t have the skills necessary to create their own ransomware strain to enter the ransomware market.

This arrangement is beneficial to the author of the ransomware, as well. In addition to the subscription price, the author often gets a cut of each ransom paid. The more subscribers who buy and distribute their ransomware, the more money the author makes without needing to infect a single computer themselves.

This is where RaaS mimics legitimate businesses. Some ransomware authors sell licenses using the traditional software business model. When a cyber criminal buys the ransomware license, they are free to use it as much as they want. Other ransomware authors have adopted the modern subscription model of SaaS. As a subscription, buyers have to continue to pay monthly or by number of infected computers. In return, the ransomware they “rent” receives updates and continued support from the author. To entice cyber criminals to choose their strain, some authors will offer discounts or adjust their cut of the ransom. Some even provide tutorials and customer support to buyers to help with distribution.

Ransomware Finds New Ways to Make Victims Pay Up

The authors of ransomware strains aren’t the only ones offering customer support. For several years now, criminal organizations spreading ransomware have provided customer support representatives to facilitate payments, such as helping victims buy bitcoin or walking them through the payment process. Sometimes these customer support reps even lower the ransom for victims unable to pay the requested amount.

While offering customer service may seem absurd for a criminal enterprise, the newest extortion method fits right in. The threat of ransomware includes not only the loss of data but also the weaponization of that data by bad actors. Until now, the risks associated with not paying the ransom have been limited to criminals farming the encrypted data for credentials or losing the data altogether. Now a new type of extortion is threatening to come to the forefront.

To thwart the growing number of businesses taking cyber security seriously and ensuring they have reliable backups in case of a ransomware attack, cyber criminals now threaten to release the unencrypted data they steal if the businesses choose not to pay the ransom. Those behind the Maze ransomware strain have a public website listing the names of businesses they’ve infected, as well as details about the attack and documents stolen from infected systems. The Allied Universal data breach and release was Maze’s first victim to be publicly exposed in this way.

What Can You Do?

When it’s not only loss of data but release of data that is the danger, the usual mantra of back up your data doesn’t cut it anymore. With this evolving threat landscape, prevention is the key to security.

In addition to basic security measures that all businesses should implement, intrusion detection is essential to modern cyber security. Bad actors are often in compromised systems for days or weeks before the actual ransomware attack happens. They can search files, disable security measures, corrupt backup systems, and more to make the business as vulnerable as possible. Identifying the problem when the intrusion first happens could save not only your money but your data and reputation as well.

Other precautions include encrypting all sensitive data so hackers can’t access it, having strong user access controls and passwords, and restricting administrator access to necessary IT personnel. This limits the amount of data criminals can access if they were to penetrate your systems.

Most of all, train your employees how to identify phishing methods and signs their computer may be compromised. Employees are the front line of defense against infection. Make sure everyone is trained at least annually to stay up to date with new ransomware strategies so that they and you don’t become unwilling customers of the ransomware business model.

 

If you need help shoring up your defenses against ransomware or need employee training, contact Anderson Technologies today!

Contact Us

HIPAA Part 6: Plan for the Worst

June 4, 2019/in Data Security, How To /by Marcia Spicer

No one likes to think they’ll suffer a disaster, a ransomware attack, or a data breach, but hope isn’t enough to satisfy HIPAA. The question is no longer if something will happen, but when. HIPAA expects you to plan, prepare, test, and be ready for anything that could disrupt the confidentiality, integrity, or availability of your ePHI and affect patient care.

In this installment of our HIPAA series, we’re going to look at the different kinds of disaster planning HIPAA requires and the importance of knowing how to implement them.

Security standard §164.308(a)(7): Contingency Plan is an umbrella term for a number of more specific plans that are meant to ensure the availability, integrity, and confidentiality of ePHI in the event of a disaster or other major security incident. While the Security Rule doesn’t explicitly require you to include other parts of your business, non-electronic PHI is still covered by the Privacy Rule, and most cyber security insurance plans require some degree of business contingency planning.

First Things First

Before you can start making plans to keep your business going during and after a disaster or cyber security incident, you first need to know what parts of your business, hardware, software, and data are critical to operations and security. HIPAA requires this in implementation specification §164.308(a)(7)(ii)(E): Applications and Data Criticality Analysis. But don’t let its position after the contingency plans fool you. This needs to be done first and foremost.

Even though §164.308(a)(7) only references assessing “specific applications and data,” if you are implementing business-wide contingency plans, you’ll want to go through all your daily operations and vital processes to determine what you can’t do a day’s worth of business without and what you could leave for when your world is no longer upside down. Without this information, you won’t be able to create the plans necessary to fulfill the following implementation specifications.

The Big Four

 One thing to remember about the plans listed below is that they don’t have to be completely isolated from each other. You might find combining pieces together (such as lists of vendors, hardware, software, etc.) is more practical than listing them in each plan separately. What’s important is that employees are trained, know what they are responsible for, and where to access this information in an emergency situation. There’s no use making a plan if no one uses it.

Following standardized responses should minimize errors, particularly those that might be caused by stressful incident handling situations.” – NIST SP 800-61r2 Computer Security Incident Handling

  1. 164.308(a)(7)(ii)(A): Data Backup Plan

What does it do? Your data backup plan is one of your most vital recovery plans. It provides you with assurances of data integrity and availability in emergency situations. For healthcare facilities directly caring for patients, data loss or network failure could mean the inability to treat patients. All ePHI must be backed up, preferably in a place that won’t suffer the same disaster as your facility, such as in cloud storage or in a separate secure location.

Your data backup plan should include who is responsible for maintaining the backups, verifying all data is being backed up, testing that backups can be retrieved, and who to contact when backups are needed.

When does it go into effect? You should make this a priority. Your data backup plan needs to be up and running before an emergency strikes. 

A data backup plan is also one of the best defenses against ransomware. Read more about that here!

  1. 164.308(a)(7)(ii)(B) Disaster Recovery Plan

What does it do? The complexity of a disaster recovery plan depends on how much of your business you choose to include. §164.308(a)(7)(ii)(B) specifies you must “establish (and implement as needed) procedures to restore any loss of data.” More comprehensive business-wide plans would include other data vital to the company that isn’t specifically ePHI.

A disaster recovery plan should include the hardware, software, backups, environment, vendors, business associates, etc., necessary to recover data lost in a disaster or cyber security incident. It also covers the people responsible for coordinating and performing all disaster recovery efforts. Employees assigned in this plan should be trained and ready to fulfill their duties in the event of a disaster.

When does it go into effect? A disaster recovery plan helps you recover lost data and infrastructure after a disaster or cyber security incident has occurred. 

  1. 164.308(a)(7)(ii)(C): Emergency Mode Operation Plan

What does it do? This plan could also be called a continuity of operations plan. Its intent is to keep your business or facility operating at a level necessary to ensure patient safety and ePHI security the moment a disaster hits. Downtime can not only cost a lot of money, but can be detrimental to facilities actively caring for patients.

By having the procedures in place for any number of emergency situations, employees can react immediately, know who to contact, how to bring critical business processes back online, and maintain the necessary security and privacy standards required by HIPAA. A good emergency mode operations plan should have contact names, numbers, first response expectations, and anything else an employee would need to recover critical operations in the first 12-36 hours.

More than the other plans, having done a thorough and accurate criticality analysis is vital to a successful emergency mode operation plan. You need to be aware of what you need to restore and in what order it needs to be restored to effectively continue with daily operations as best you can. Failure to do a proper criticality analysis can waste time and resources by focusing recovery efforts on functions that aren’t immediately necessary.

When does it go into effect? An emergency mode operations plan should be implemented during a disaster to keep the business going, and, in the case of healthcare facilities, to keep patients safe and cared for appropriately. 

  1. Business Continuity

What does it do? You’ll notice that there is no implementation specification that goes along with this plan. The Security Rule doesn’t specifically require a business continuity plan, but it can be a useful addition to a set of contingency plans.

While the other plans all focus on what happens during or immediately after an emergency situation to keep your business running, a business continuity plan focuses on getting you back to where you were before the disaster. What are the lower priority vendors or clients that you might have missed contacting already? Do you know all the hardware and software that needs to be replaced or recovered? Think of it as the long-haul plan that doesn’t let you forget about the little things. Disasters are stressful, and a good business continuity plan can keep you on track through the mental fatigue that can set in after a disaster.

When does it go into effect? Business continuity plans help you bring your entire business back to normal day-to-day operations after a disaster occurs and the crisis period is over.

Incident Response

There are many different kinds of cyber security incidents that could affect your business. While all incidents are major problems when they occur, you may not require the full emergency responses planned out above. In these cases, individual plans geared directly to cyber problems can be useful tools.

Depending on your risk, you may want more than the two plans below, but if you’re covered by HIPAA, these are important ones to include with your disaster management plans. The better prepared you are for an incident, the safer you can make your data and the faster you can recover from an attack.

Companies that identified a breach in less than 100 days saved more than $1 million as compared to those that took more than 100 days. Similarly, companies that contained a breach in less than 30 days saved over $1 million as compared to those that took more than 30 days to resolve.”  — 2018 Cost of a Data Breach Study, Ponemon Institute (emphasis added)

  1. Data Breach Response Plan

While a breach is any impermissible use or disclosure of PHI, a data breach response plan focuses on ePHI specifically. It lays out how to secure your systems after a breach, who to contact if you need more support, what to do once the threat is identified and fixed, and who must be notified of a breach of ePHI or other personally identifiable information (PII). (Remember, properly encrypted data isn’t a breach.) The FTC has a good outline for what to incorporate into your data response plan, and the HHS thoroughly explains all the requirements of a breach under HIPAA.

  1. Ransomware Attack Response Plan

The criticality of care facilities combined with the black market price of ePHI makes the healthcare industry a prime target for ransomware and other cyber attacks. And like most cyber attacks, ransomware deals two-fold damage, from the recovery itself to the subsequent breach notifications that must follow. (Remember, unless you can prove that ePHI has not been accessed due to safeguards in place, it’s a breach. For more on Ransomware and HIPAA, see the HHS’s Fact Sheet.)

A ransomware attack response plan sets up the procedures your employees should take in the event of a ransomware attack, such as steps to quarantine an infected machine, who to contact, and what not to do. It should also have procedures for technicians and management in how to secure the network, purge the system, recover lost data (per the data backup plan), and notify required parties. Also include the contact information of the law enforcement department to report the attack to, whether that is local, state, or federal. (For more information see the Department of Justice’s guide, “How to Protect Your Networks from Ransomware.”)

Test! Test! Test!

Most important of all, you need to test your contingency plans routinely and make sure all your employees are trained and know where to find the plan in emergency conditions. A plan no one knows about or can find is a plan that won’t be implemented. Besides, HIPAA requires it.

So make contingency plans part of your annual and new hire training. Make sure all your employees can find the plans and know what they are responsible for. Make sure everyone knows who’s in charge during emergency situations so that plans can be implemented fast and efficiently. It can save you time, money, and headaches when the worst happens.

If you need help implementing a cyber security incident response plan or training your employees in the best practices, contact Anderson Technologies at 314.394.3001 or by email by info@andersontech.com.

Contact Us

Don’t Hold the Door Open for Cyber Criminals

June 12, 2018/in Data Security, News /by Anderson Technologies

Here in St. Louis, you’re likely to hear people saying they’re heading to Bread Co. for lunch, even if Panera is the sign above the restaurant. That’s because to St. Louisans, Panera will always be Saint Louis Bread Company. But recently, residents were relieved the St. Louis name wasn’t attached to Panera’s recent cyber security blunder.

On April 2, Brian Krebs of security news website KrebsOnSecurity broke the story that customer data from Panera’s loyalty program—including names, email and physical addresses, birthdays, and the last four digits of credit card numbers—was available through an insecure API on their website. Worse yet, Panera had been notified about the defect eight months prior in August 2017 and did nothing to resolve the problem.

Cyber security researcher Dylan Houlihan found the flaw in Panera’s API and, after confirming the extent of the problem, contacted Panera’s cyber security team. He notes that reaching out to Panera was difficult as there was no information available for who to contact if security holes were found. Panera’s response was less than stellar. In Houlihan’s detailed account of their communication, Panera’s director of information security, Mike Gustavison, was suspicious of him, and after receiving proof of the problem, took several days to reply that they would work to resolve it.

Except they didn’t.

Every month, Houlihan checked to see if the flaw was fixed, only to see that customer data was still unprotected. Finally, in April 2018, he contacted Krebs to make the matter public and force Panera to respond. They did. Within two hours Panera claimed they patched the problem.

Except they hadn’t.

Krebs continued to monitor the website and found that, while the information was no longer accessible to the public, if a member logged into their free Panera account, they could still exploit the flaw. He also discovered that it extended to other parts of Panera’s business, such as the catering website.

After the negative media coverage, Panera took down its website and patched the problem properly. In a tweet following the incident, Krebs estimates that up to 37 million accounts could have been made public because of this flaw. While there is no evidence yet that malicious agents accessed the data, this was still a terrible security breach.

How Often Does This Really Happen?

It’s easy to lose the details in light of Panera’s poor response and subsequent inaction, but accidental data breaches from misconfigured hardware or software happen far more often than you might imagine.

  • March 6, 2017: River City Media left more than a billion email accounts exposed to the public, some with personal information. Also exposed were detailed records of their own illegal spamming activities. The problem—no password protection on the backups.
  • June 19, 2017: Deep Root Analytics left millions of Americans’ addresses, birthdays, phone numbers, and political views on a variety of topics open to the public. The problem—misconfigured user permission settings.
  • October 3, 2017: A National Credit Federation cloud storage bucket was found to be open to public access, revealing personal, credit, and financial information of tens of thousands of its customers. The problem—misconfigured user permission settings.
  • October 6, 2017: An Alteryx cloud storage bucket was found to be accessible to anyone with a free Amazon Web Services account. It exposed personal data, Experian marketing data, and US Census data for more than 123 million American households. The problem—misconfigured user permission settings.
  • April 9, 2018: A flaw similar to Panera’s was discovered in P. F. Chang’s rewards website. The problem—an insecure API.
  • April 23, 2018: After rebuilding their website following a ransomware attack, MEDantex’s new customer portal contained abilities intended only for employees, including accessing confidential patient records without authentication. The problem—a bug on the website.
  • May 17, 2018: LocationSmart’s demo feature is found to be able to track the location of almost any cell phone without the user’s consent. The problem—an insecure API.

What Does This Mean for a Small Business Owner?

These examples of private, financial, and personal information leaked unintentionally serve as a warning to all business owners. While there’s a sense of poetic justice that River City Media revealed their own criminal activities by forgetting to add a password, the truth is, not all data you could reveal belongs to other people. You can be a cyber threat to your own business.

Few businesses can run day to day without some amount of personal, customer, or vendor data stored either on their network or in cloud storage. The technicalities of properly configuring security for these electronic databases can be daunting, but even when things appear to be simplified for you, all it takes is one open port, one missing password, or one unsecured application for the door to your data to be left wide open.

This is why it’s vital for businesses to have their systems set up by IT professionals and to perform network security audits routinely to ensure both the hardware and the software are configured correctly. It’s not enough to simply hire an IT consultant once and assume your system is secure. Files get moved, employees are hired, and new hardware is installed—all leaving room for new settings to supersede old ones, or worse, be forgotten all together. A network security audit performed at least annually gives you peace of mind that your cyber doors are tightly closed and locked.

What Should You Do to Protect Your Business?

While it’s crucial to know how to avoid opening the door to criminals, knowing how to respond to a breach is just as important. Here are a few simple steps you can take to avoid or address an accidental data breach.

  1. Hire IT professionals to set up all hardware and software. Your customers trust you to be the expert in your field, so trust the IT professionals to be the experts in theirs. Make sure all your hardware and software have been properly configured from the start.
  2. Perform annual network security audits. Just because you configured everything correctly, doesn’t mean it will stay that way. Your business changes all the time, so it’s best to check the doors and windows before someone else notices they’re open.
  3. Know your hardware. Many business owners don’t realize what’s in their hardware closet. Can you point to your hardware firewall with confidence? Are you certain it’s the correct type for your business? Ask an IT professional to review your hardware with you so you understand what you need and how it works. Doing so will improve your ability to spot potential problems.
  4. Have a way people can contact you about problems they find. One lesson learned from the Panera breach is how important it is that people can contact you with problems they’ve noticed. Many security researchers who find flaws due to misconfiguration just want you to know about the issue so it can be resolved. Make sure they can get in touch. Larger companies should have separate contact information specifically for security issues to keep them from being lost with other routine technical issues customers might have.
  5. Respond quickly to any problems found. Don’t wait eight months or for public embarrassment to sound the alarm before responding to an accidental data breach. If you act swiftly, your data may still be kept safe. In many accidental breaches, the problem was found not by criminals but cyber researchers.

No company wants to find themselves in a situation like Panera’s, so make sure your network security is done right. If you’d like to learn more about configuring your systems or to schedule a network security audit, contact Anderson Technologies by phone at 314.394.3001 or by email at info@andersontech.com.

Contact Us

Page 1 of 212

Newsletter Signup



Recent Posts

  • Sharing the Work Load: The Case for Co-Managed IT Services
  • Byte-Size Tech: What Is Co-Managed IT?
  • Byte-Size Tech: Essential Tips for Safer Online Shopping
  • Save Yourself A Call: 5 Common Helpdesk Issues and How to Fix Them
  • Byte-Size Tech: 3 Tips for Troubleshooting Before Calling IT

Seeking IT support and managed services?
Get a free consultation today.

Contact Us

  • Home
  • Services
  • Resources
  • About
  • Blog
  • Contact
  • Help
  • Privacy Policy
ATI Logo
Phone: 314.394.3001
Email: info@andersontech.com

13523 Barrett Parkway Dr
Suite 120
St. Louis, MO 63021



© - Anderson Technologies
  • Home
  • Services
  • Resources
  • About
  • Blog
  • Contact
  • Help
  • Privacy Policy
Scroll to top
We use cookies to understand how you use our site. Click Accept to confirm your approval of this, or learn more in our Privacy Policy. Accept Privacy Policy
Privacy & Cookies Policy

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
Necessary
Always Enabled

Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.

SAVE & ACCEPT