13 Nov 2024

Dispelling Common VPN Myths

by | | 0

Virtual Private Networks (VPNs) have become essential tools for enhancing online privacy and security. However, with their increasing popularity, several misconceptions have arisen about what VPNs can and cannot do. Understanding these misconceptions is crucial for users to make informed decisions about using VPNs effectively.

Here are some of the most common myths debunked:

Myth 1: VPNs Provide Complete Anonymity – One of the biggest misconceptions is that VPNs offer complete anonymity online. While VPNs do an excellent job of hiding your IP address and encrypting your data, they are not foolproof. Other methods of tracking, such as browser fingerprinting or cookies, can still identify users. VPNs are one part of a larger privacy toolkit and should be used in conjunction with other privacy measures for better anonymity.

Myth 2: All VPNs Are the Same – Not all VPNs are created equal. There are significant differences in the levels of security, privacy policies, and features offered by various providers. Some may keep logs, offer different encryption standards, or have more robust server networks than others. It’s important to research and compare VPN providers before choosing one.

Myth 3: VPNs Can Make Your Internet Faster – Another common myth is that VPNs can increase internet speed. In reality, the encryption process and rerouting of traffic through VPN servers can sometimes slow down your connection. The impact on speed can vary based on the quality of the VPN service and the distance to the server.

Myth 4: VPNs Are Only for Tech-Savvy Users – VPNs are often thought to be complex and only suitable for advanced users. However, many VPN providers have made significant efforts to create user-friendly interfaces that make it easy for anyone to use their services, regardless of technical expertise.

Myth 5: Free VPNs Are Just as Good as Paid Ones – While free VPNs can be appealing, they often come with limitations such as data caps, slower speeds, and fewer servers. Moreover, some free VPNs may compromise your privacy by tracking your activities or displaying ads. Paid VPNs offer better security and features.

Myth 6: VPNs Are Only for Questionable Activities – There’s a misconception that VPNs are only used for hiding illegal activities. This is far from the truth. Many people use VPNs for legitimate reasons, such as protecting their privacy, securing their data on public Wi-Fi, for work, or accessing content restricted in their region.

Myth 7: VPNs Protect Against All Online Threats – VPNs are excellent for securing your data in transit, but they do not protect against all types of online threats. For instance, they cannot prevent phishing attacks or malware. It’s essential to use VPNs alongside other security measures like antivirus software and safe browsing practices.

Myth 8: VPNs Are Illegal – The legality of VPNs varies by country. In most places, using a VPN is perfectly legal, especially for protecting personal privacy and security. However, some countries have restrictions on VPN use, so it’s important to be aware of the laws in your location.

By understanding these common misconceptions, users can set realistic expectations and use VPNs more effectively as part of their online security strategy. Remember, a VPN is a valuable tool, but not a silver bullet for online privacy and security. It’s one component of a comprehensive approach to safeguarding your digital life.

12 common VPN myths bustedhttps://nordvpn.com/blog/myths-about-vpn/

Common VPN Myths Debunkedhttps://www.bitdefender.com/blog/hotforsecurity/common-vpn-myths-debunked/

30 Oct 2024

Choosing a VPN Service that Works for You

by | | 0

As you become more engaged online through social media, shopping, education, finance, healthcare, and other applications, and you are following the best practices we discussed in a prior blog to protect your information online, you may be considering using a Virtual Private Network (VPN).  A VPN helps encrypt your data, whether on your home network or using a public Wi-Fi connection, to keep your data safe. VPN products can offer a variety of services beyond encryption that may be helpful to you.

Some of the benefits of using a VPN when accessing online services and information are:

  • Enhanced Privacy and Security – VPNs encrypt your internet connection, making it difficult for hackers, ISPs, and even governments to track your online activities.
  • Remote Access – VPNs allow employees to access their company’s network remotely, enabling them to work from anywhere with an internet connection.
  • Safe Online Transactions – VPNs provide a secure environment for conducting sensitive transactions, such as online banking or shopping.
  • Anonymity – While not completely anonymous, VPNs can significantly reduce your digital footprint by hiding your IP address.

Although there are many benefits to using a VPN, there are some challenges and potential issues:

  • Potential Speed Reduction – The encryption process and server distance can sometimes slow down internet speeds, particularly with low-tier VPN services.
  • Legal and Regulatory Issues – VPNs are restricted or banned in some countries and using them could lead to legal consequences.
  • Compatibility and Complexity – Setting up a VPN can be complex for non-technical users, and compatibility issues may arise with certain devices or networks.
  • Reliability Concerns – Some VPNs may suffer from connection drops, which can interrupt services and cause frustration.
  • Trustworthiness of VPN Providers – Not all VPN services are created equal. Some may log and sell user data, negating the privacy benefits of using a VPN.

Now that you know the potential benefits and issues to using a VPN, here are things to consider when shopping for a VPN service:

  • Understand Your Needs – Before diving into the features of various VPN providers, it’s essential to understand what you need from a VPN. Are you looking to enhance your privacy, hide your location, or secure your data on public Wi-Fi? Your priorities will influence which features are most important to you.
  • Check the Provider’s Logging Policy – One of the most crucial aspects of a VPN is its logging policy. A reliable VPN provider should have a strict no-logs policy, ensuring that your online activities are not recorded or stored.
  • Assess the Level of Encryption – Encryption is what keeps your data secure as it travels over the internet. Look for providers that offer robust encryption standards, such as AES-256, to protect your information from prying eyes.
  • Evaluate Server Networks – The size and distribution of a VPN provider’s server network can affect your internet speed and the ability to bypass geo-restrictions. A larger network means more options and better chances of finding a fast, nearby server.
  • Consider Speed and Performance – VPN services can vary in speed and performance. While some reduction in speed is expected due to encryption, a good VPN provider should offer a service that minimizes this impact. Check independent reviews for speed test results.
  • Investigate Optional Features – Some VPNs come with additional features such as ad-blocking, malware protection, or multi-hop connections. Decide which, if any, of these features are important to you and choose a provider that offers them.
  • Research the Provider’s Reputation – The reputation of a VPN provider is telling of their reliability. Look for providers with a history of protecting user privacy and read reviews from trusted sources.
  • Examine the Pricing and Value – Compare the pricing of different VPN services. While free VPNs may be tempting, they often come with limitations and security risks. A paid service offers better security and features.
  • Check for a User-Friendly Interface – A user-friendly interface can make setting up and using a VPN much easier, especially if you’re new to the process. Look for services that offer intuitive apps for various devices.
  • Review the Customer Support – Reliable customer support is vital, especially if you encounter issues. Check if the provider offers 24/7 support through multiple channels, such as live chat or email. For more detailed reviews and comparisons, consider exploring resources such as PCMag, Wired, and Cybernews.
  • Read the Fine Print – Before committing to a VPN service, read the terms of service and privacy policy carefully. This will help you understand the provider’s commitments to user privacy and any potential red flags.
  • Test the Service – Many reputable VPN providers offer a trial period or money-back guarantee. Use this opportunity to evaluate the service’s performance and ensure it meets your expectations before making a long-term commitment.

A VPN service is a powerful tool for enhancing online security and privacy, but there are many considerations when selecting a VPN service. Users must carefully weigh the benefits against the potential challenges and choose a reputable VPN provider to ensure the best experience. As with any technology, informed use is the key to maximizing the advantages while minimizing the risks.

If you are interested in more information regarding VPNs, please read these online resources:

Why You Need a VPN, and How to Choose the Right Onehttps://www.pcmag.com/how-to/what-is-a-vpn-and-why-you-need-one

What is a VPN and what does it do?https://us.norton.com/blog/privacy/what-is-a-vpn

What Is a VPN, and Why Would I Need One?https://www.howtogeek.com/133680/htg-explains-what-is-a-vpn/

The 10 Best VPN Services for 2024  – https://www.pcmag.com/picks/the-best-vpn-services

5 Best VPN Services (2024)https://www.wired.com/story/best-vpn/

Best VPN Services of 2024 – tested by cybersecurity expertshttps://cybernews.com/best-vpn/

Protect your information online  – https://mobroadband.org/protecting-your-information-online/

16 Oct 2024

Selecting and Using a Password Manager

by | | 0

In my blog Protecting Your Information Online, I recommend using unique usernames and passwords for every account you create.  For most of us this creates a unique problem in trying to remember all those usernames and passwords. For most of our accounts, our email is our username, but that still leaves the passwords.

Password managers offer a multitude of benefits. They generate strong, unique passwords for each account, reducing the risk of identity theft and account takeovers. By storing all passwords in a secure vault, they eliminate the need to remember multiple login details, streamlining the authentication process. Additionally, many password managers can fill in personal information on web forms, saving time during account creation or online purchases. Password managers can be used across multiple devices, so you have your passwords on your phone, computer, or tablet. They also alert users to potential security breaches, promoting better password hygiene and overall digital safety.

Here are some factors to consider when selecting a password manager:

Multi-Factor Authentication (MFA) – Look for a password manager that supports MFA. MFA adds an extra layer of security by requiring more than just your username and password for authentication. It might involve a PIN sent via text message or an authentication app.

Password Storage Location – Decide whether you prefer a cloud-based or desktop-based solution. Cloud-based options offer convenience and accessibility, while local storage might be preferred.

Recovery of the Master Password – Although password managers eliminate the need to remember multiple passwords, you still need to recall the master password. Choose a manager that provides a way to recover your master password if forgotten, such as a special key or emergency contact.

Free or Paid – Evaluate the features versus the cost of the password manager. A free version might suffice if you only have a few accounts and do not require storing other personal information. Features such as data encryption and access across multiple devices and security such as multifactor authentication, may only be available in subscription-based password managers.

Additional Features – Explore secondary features like automated device sync, multi-factor authentication, autofill, and multi-platform support. Consider your specific needs when evaluating these features.

User Experience – Opt for a password manager with an intuitive interface. It should generate unique passwords for each account and make it easy to manage your credentials.

Among the most popular password managers, 1Password stands out for its user-friendly interface and robust security features, making it an excellent choice for new users. Bitwarden, praised for its free version, offers a solid range of features without cost, appealing to those seeking a balance between functionality and budget. Dashlane, although on the pricier side, provides a polished experience with premium features.

For those who prioritize financial features and multi-device compatibility, LastPass has been recognized as a strong contender, despite some concerns over its security in the past. Meanwhile, NordPass is noted for its overall performance, making it a top pick for many users.

You will also notice that password manager features are now being integrated into web browsers such as Google Chrome, Microsoft Edge, and Mozilla Firefox. They are designed to store, generate, and autofill your passwords across various websites. Choosing between a browser-based password manager and a third-party service depends on your individual needs and security requirements. If you have a limited number of accounts, the convenience and cost-effectiveness of a browser’s built-in manager might suffice. However, if you have multiple accounts and accounts that you would consider sensitive such as healthcare and financial accounts, investing in a dedicated password manager could provide the enhanced security and features necessary for peace of mind.

When you do decide on a password manager and begin to setup the system, to store, manage and create new passwords for your existing and new accounts, be sure to follow these best practices:

Create Strong and Unique Passwords – A strong password is your first line of defense against unauthorized access. Use a mix of upper- and lower-case letters, numbers, and symbols to create complex passwords. Avoid using easily guessable information such as birthdays or pet names. The auto create feature of most password managers will take care of this for you.

Employ Multi-Factor Authentication – Whenever possible, enable multi-factor authentication (MFA) for an added layer of security. This typically involves a combination of something you know (a password), something you have (a mobile device), and something you are (biometric verification).

Regularly Update Your Passwords – While it’s important not to change passwords too frequently, as it can lead to weaker choices, regular updates are necessary especially if there’s a suspicion of a data breach. Try to change annually and you may want to consider quarterly or every 6 months for sensitive accounts.

Never Reuse Passwords – Each account should have a unique password. Reusing passwords across multiple sites increases the risk that if one account is compromised, others will follow. Most password managers will warn you if you are reusing a password or using it for multiple accounts.

Store Passwords Securely – Ensure that your password manager uses strong encryption to protect your passwords at rest and in transit. This prevents them from being easily deciphered if intercepted.

Monitor Password Strength – Use the password manager’s built-in tools to monitor the strength of your passwords and update any that are weak or compromised.

Selecting and using the password manager that meets your needs will create a more secure and streamlined experience as you use online applications and services.

For more information, please visit the following websites:

Protecting Your Information Online

  • https://mobroadband.org/protecting-your-information-online/

Seven Factors to Consider When Choosing the Right Password Manager – Forbes

How To Choose the Best Password Management Software In 2024

Password security 101: Why you need a password manager- Zoho

Picking the right password for your password manager-Bitwarden    

Browser Password Manager or a Standalone Password Service – Consumer Reports 

Links to password Managers:

1Password – https://1password.com/

Bitwarden – https://bitwarden.com/

Dashlane – https://www.dashlane.com/personal-password-manager

LastPass – https://www.lastpass.com/

NordPass – https://nordpass.com/personal-password-manager/

2 Oct 2024

Join the University of Missouri Digital Ambassador Program!

by | | 0

Do your friends, family, or neighbors turn to you for help with the internet, computers, or online tools like social media and banking? Are you eager to expand your digital skills and use them to benefit your community? Do you enjoy volunteering to support others?

If you answered yes, we invite you to become a University of Missouri Digital Ambassador for your community.

What Does Being a Digital Ambassador Involve?

As a Digital Ambassador, you’ll receive comprehensive training covering internet connectivity, troubleshooting home networks, password security, and using online tools like Google Workspace and Microsoft Office. You’ll also learn effective teaching methods for adults. The training will prepare you to assist community members in integrating digital tools into their daily lives.

We provide you with resources such as handouts, presentations, and promotional materials available online and on a flash drive. Extension faculty at the county and state levels will support you with additional materials and guidance for your community engagements.

In exchange for this training and support, we ask you for 40 hours of volunteer service over the next year. You can contribute by staffing local library help desks, offering one-on-one assistance, educating civic groups, or promoting digital tools at community events.

How You Can Make an Impact?

Digital Ambassadors play a crucial role in empowering communities through digital literacy. For example, you can help individuals navigate online banking, healthcare portals, job searches, and more. By collaborating with local businesses and sponsors, you may even facilitate access to devices for those in need.

Moreover, you’ll identify and support experts within your community who can share their knowledge on specific online applications, enhancing local educational efforts.

Join Us Today!

Digital Ambassadors across Missouri are already making a difference. They’re promoting online safety, providing personalized consultations, and advocating for digital education.

Ready to transform lives through digital empowerment? Register now to become a Digital Ambassador! Visit mobroadband (https://mobroadband.org/digital-ambassador/) for more information and to sign up. Stay updated on training opportunities and program developments in your area.

Together, we can build a digitally inclusive Missouri!

18 Sep 2024

Securing Your Web Browser: Essential Tips and Practices

by | | 0

The Internet provides access to a world of information, entertainment, connection to family and friends, and applications that can assist us in our daily lives and businesses. Web browsers are the front door to accessing all that information and it’s essential to secure that front door.  We discussed “Choosing the Right Web Browser for You” in our last blog and securing your web browser is integral in maintaining your online privacy and safety. With the increasing sophistication of cyber threats, it’s crucial to adopt best practices to help protect your digital footprint. Here are some of the best practices to secure your web browsers, along with resources for further reading:

Update Your Browser Regularly – Keeping your browser updated ensures that you have the latest security patches and features. Most browsers update automatically, but it’s good practice to check for updates regularly.

Use a Secure Browser – Consider using a browser known for its security features. Forbes Advisor and ZDNet  list the most secure browsers of 2024, highlighting the importance of privacy features such as blocking third-party trackers and using password management software.

Use Security Extensions – Consider installing security-focused extensions that can enhance your browsing safety. Features like ad blockers, anti-tracking tools, and HTTPS enforcement can significantly reduce your exposure to threats.

Manage Browser Extensions – Be cautious about the extensions you install. Only use extensions from trusted sources, and regularly review and remove any that are no longer needed.

Disable Autofill – While convenient, autofill for passwords and credit card information can be a liability. Disable autofill for personal data and credit card information to prevent it from being captured by malicious websites.

Enable “Do Not Track” – Activate the “Do Not Track” feature in your browser settings to request that websites do not collect or track your browsing data. Some websites may not process this request, but most comply. Turning this feature on is recommended. Disable tracking on all apps on your phone as well.

Use Private Browsing/Incognito Modes – While not foolproof, private browsing modes can prevent the storage of cookies, temporary files, and browsing history on your computer.

Disable Third-Party Cookies – Blocking third-party cookies can reduce tracking from advertisers and other third-party entities.

Use a VPN – A Virtual Private Network (VPN) can encrypt your internet connection and hide your IP address, adding an extra layer of security, especially on public Wi-Fi networks.

Regularly Clear Your Browsing Data – Periodically clear your cookies, cache, and browsing history to minimize the risk of data breaches and tracking.

Be Wary of Public Wi-Fi – Avoid performing sensitive activities, such as online banking, on public Wi-Fi networks. If necessary, use a VPN to secure your connection.

Secure Your Connections – Always look for ‘HTTPS’ in the URL, especially when entering sensitive information. This indicates that the connection to the website is encrypted.

Regular Security Audits – Periodically review your browser settings and extensions to ensure they are still relevant and secure. Remove any extensions you no longer use or trust.

Educate Yourself – Stay informed about the latest security threats and how to counter them. ZDNet  and Forbes Advisor provide comprehensive guides of the best secure browsers for privacy in 2024, which is a valuable resource for anyone looking to enhance their browser security.

For more detailed tips and techniques, How-To Geek offers a list of nine tips to safely browse the web, which includes using secure browsers and avoiding clicking on search ads. Additionally, OSIbeyond provides 10 tips for making web browsing more secure, emphasizing user behavior as a critical factor in maintaining security.

By following these best practices and utilizing the resources provided, you can significantly improve the security of your web browsing experience and protect your personal information from potential threats.

For further reading and to explore more in-depth information, you can refer to the articles mentioned above. Stay safe and browse wisely!

 Most Secure Browsers Of 2024 – Forbes Advisor

https://www.forbes.com/advisor/business/software/secure-browsers/

 The best secure browsers for privacy in 2024 | ZDNET

https://www.zdnet.com/article/best-browser-for-privacy/

 9 Tips to Safely Browse the Web – How-To Geek 

https://www.howtogeek.com/9-tips-to-safely-browse-the-web/

 Web Browsing | Safe and Secure Web Browser Tips and Techniques – OSIbeyond   

https://www.osibeyond.com/blog/tips-for-making-web-browsing-more-secure/

10 Browser Security Add-ons to For Privacy- Best Guard Tools – geekflare 

https://geekflare.com/browser-security-for-privacy/

The 10 Best Browser Security Extensions [Surf Secure in 2024] – cloudwards 

Best Browser Security Extensions: Surf Secure in 2024

Choosing the Right Web Browser for You 

https://mobroadband.org/choosing-the-right-web-browser/

7 Aug 2024

Recognizing the Red Flags: Common Signs of a Security Breach

by | | 0

In the interconnected world of today, where data is a valuable asset, the security of personal data is paramount. Data breaches can have far-reaching consequences, from identity theft to financial loss. It’s important to be aware of the common signs that may indicate a security breach.

Indicators that you might be part of a data breach or had an account hacked:

Unusual Account Activity – One of the most immediate signs of a security breach is unusual activity in your accounts. This could manifest as unexpected logins from unfamiliar locations or at odd hours, which could suggest that someone else has gained unauthorized access to your account.

Appearance of Suspicious Files – The presence of unknown or suspicious files on your system can be a telltale sign of a security breach. These files may be part of a malware installation and could potentially harm your system or compromise your data.

Slow System Performance – A sudden slowdown in system performance, including prolonged response times or frequent crashes, can indicate that your system has been infected or hacked and is being used for malicious activity. You can check system performance by opening task manager on a Windows computer or Activity Monitor on an Apple MacOS computer.

Locked Accounts or Changed Credentials – Finding yourself locked out of your accounts or discovering that your credentials have been changed without your consent is a strong indication of a security breach. This often means that an attacker has taken control of your account and changed the access details to prevent you from regaining control.

Phishing Attempts – Receiving phishing emails or noticing phishing attempts, where you are asked to provide sensitive information through deceptive means is a common precursor to a security breach. Always be wary of unsolicited requests for your personal information.

While recognizing the signs of a security breach is important, taking preventive measures is equally crucial. Regularly updating software, using strong and unique passwords, enabling multi-factor authentication, and being cautious about the networks you connect to can all help in preventing security breaches.

If you notice any signs of a security breach, it is crucial to act promptly to protect your personal information. Here are the steps you should follow:

Change Your Passwords – Immediately change the passwords for any affected accounts and ensure that the new passwords are strong and unique. Consider using a password manager to keep track of your passwords.

Contact the Affected Service – Inform the service provider of the suspected breach. They can take necessary actions to secure and recover your accounts and monitor for suspicious activity.

Check Your Computer for Malware – Run a thorough scan of your computer using a reputable antivirus program to check for any malware that may have been installed without your knowledge.

Monitor Your Financial Accounts – Keep an eye on your bank and credit card statements for any unauthorized transactions. If you spot anything unusual, contact your financial institution immediately.

Place a Fraud Alert – Contact one of the three major credit bureaus (Equifax, Experian, or TransUnion) to place a fraud alert on your credit reports. This alert will notify potential creditors to take extra steps to verify your identity before extending credit.

Consider a Credit Freeze – A credit freeze will prevent creditors from accessing your credit report, which can stop a thief from opening new accounts in your name. This can be done by contacting the credit bureaus directly.

Report to Authorities – Report the incident to the appropriate authorities. This may include local law enforcement, the Federal Trade Commission, or other relevant government agencies.

Purchase Identity Theft Insurance – You can purchase identity theft insurance through the company that provides your home or renters insurance. You can also purchase insurance through companies such as LifeLock or one of your credit card companies. Insurance helps with recovering your identity if stolen as well as any of the expenses associated with recovery.

Stay Vigilant – Continue to monitor your accounts and credit reports regularly. Early detection of fraudulent activity can minimize the damage and aid in the recovery process.

Educate Yourself – Learn more about how to protect yourself from future breaches. This can include attending cybersecurity awareness training or reading up on best practices for online security.

By following these steps, you can take control of the situation and mitigate the potential damage caused by a security breach. Remember, staying informed and vigilant is your best defense against cyber threats. For more detailed guidance, you can refer to resources provided by cybersecurity experts and authoritative guides.

Fraud Alert Links:

https://www.experian.com/fraud/center.html

https://www.transunion.com/fraud-alerts

https://www.equifax.com/personal/credit-report-services/credit-fraud-alerts/

Credit Freeze Links:

https://www.experian.com/freeze/center.html

https://www.transunion.com/credit-freeze

https://www.equifax.com/personal/credit-report-services/credit-freeze/

Educational Resources:

A 2024 Guide to Digital Security & Cybersecurity – https://www.security.org/digital-safety/

Online Fraud and Scams – https://www.digitallearn.org/courses/online-fraud-and-scams-new

Accounts & Passwords – https://www.digitallearn.org/courses/accounts-passwords-new

1 May 2024

Understanding Drive-By and Pop-Up Computer Infections

by | | 0

I’ve just spent some time scanning a computer in my house that had a pop-up virus trying to infect it. Drive-by and pop-up infections are quite common and can lead to your computer and data being compromised.

Drive-by downloads are a form of cyberattack where malware is unintentionally downloaded and installed on a user’s computer. This can occur when a user visits a compromised website or clicks on a deceptive link. The downloaded malware can then perform various malicious activities, such as hijacking the computer, spying on network activity, or destroying data.

Pop-up computer infections, on the other hand, often masquerade as legitimate warnings or advertisements. They can be very persistent, tricking users into clicking on them, which may lead to the installation of malware. These pop-ups can appear even when not browsing the internet, indicating the presence of adware or other malicious software on the system.

To protect against these threats, follow these recommendations:

Keep Your Software Updated – Regularly update your operating system, browser, and any installed software to patch security vulnerabilities.

Install an Ad-Blocker – Ad-blockers can prevent malicious ads from appearing and reduce the risk of accidental clicks that could lead to malware infections. PC Mag has their list of top 5 add blockers.

Use Antivirus Software – A reliable antivirus program can detect and remove malicious software before it harms your system. PC Mag and CNet have their reviews of Antivirus programs for the year.

Enable “Click-to-Play Plugins” in Your Browser – This prevents multimedia content from running automatically and can stop drive-by downloads from executing.

Download Software from Trusted Sources – Be cautious of downloading free software. Ensure you obtain it from legitimate sources and providers to avoid bundled malware.

Adjust Browser Security Settings – Maintain your browser’s default security settings or enhance them to block unauthorized downloads and pop-ups.

Be Wary of Social Engineering – Educate yourself on the tactics used by cybercriminals to lure users into downloading malware, such as phishing emails and fake websites.

Regular Backups – Keep regular backups of your important data. In case of an infection, you can restore your system without losing critical information.

For those who suspect their system may be infected, here’s a step-by-step guide to help you navigate through the process:

Disconnect from the Internet – As soon as you suspect an infection, disconnect your computer from the internet. This prevents the malware from transmitting any sensitive data and stops it from downloading additional malicious components. For pop-up infections, you can power down your machine by holding the power button in for 10 seconds. Many of these pop-up infections run in the computer memory to start and by shutting down the computer without clicking on any recommended links or trying to close the applications on your computer can reduce the chance of further infection.

Enter Safe Mode (Windows MacOS) – Reboot your computer in Safe Mode. This will start your computer with only the essential programs running, which can help prevent the malware from loading.

Check Installed Programs – Review your installed programs and remove anything that looks suspicious or that you don’t remember installing.

Run Antivirus Scans – Use a reputable antivirus program to run a thorough scan of your system. Malwarebytes Anti-Malware is a widely recommended tool for removing malware and unwanted programs. Malwarebytes has both a free and subscription-based service.

Use Secondary Scanners – Sometimes, a second opinion is necessary. Tools like HitmanPro can provide a secondary scan that might catch malware that slipped past your primary antivirus software. Hitman Pro.Alert is their fee-based version.

Reset Your Browsers – Malware often makes changes to your browser settings. Resetting your browsers to their default settings can undo these changes. Once at the default setting, you can change back to any customizations you made to enhance security above the default settings.

Update Your Software – Ensure that your operating system, browsers, and all plugins are up to date with the latest security patches. Outdated software can be vulnerable to exploitation by malware.

Change Passwords – After cleaning your system, change your passwords. This is a crucial step, as malware can capture keystrokes and compromise your accounts.

Backup Your Data – Regularly back up your data to an external drive or cloud storage. If you have a backup from before the infection, you may be able to restore your files if they’ve been damaged or encrypted by malware.

Stay Informed – Educate yourself on the latest threats and how to avoid them. Drive-by downloads can exploit vulnerabilities in outdated software, so keeping informed can help you stay one step ahead of potential infections.

Consult Local Computer Repair Professionals – If you’re not confident in your ability to clean your system or if the infection persists, seek the help of your local computer professional. It’s better to get expert assistance than to risk further damage to your system.

While drive-by and pop-up computer infections pose a significant risk, awareness and proactive measures can greatly reduce the chances of falling victim to these cyber threats. It’s a continuous battle against cybercriminals, but with the right tools and practices, you can safeguard your information and continue to enjoy the benefits of your digital life.

You can find additional information and resources at the following sites:

Malware Protection for Home 2023 | Malwarebytes

Download HitmanPro: Scan and Remove Malware

Best Antivirus Software for 2024 – CNET

The Best Ad Blockers for 2024 | PCMag

What are drive-by downloads + drive-by attack prevention tips | Norton

How to remove a fake virus alert – Norton

How to Enable Click-to-Play Plugins in Every Web Browser (howtogeek.com)

Start your PC in safe mode in Windows – Microsoft Support

Start up your Mac in safe mode – Apple Support

15 Feb 2024

Protecting Your Information Online

by | | 0

As our lives become increasingly entangled in the digital world, we face many challenges and risks when protecting our personal information. Data breaches, identity theft, phishing, malware, and cyberattacks are common threats that can compromise the privacy and security of consumers’ data. We all need to be aware of the best practices and tools that can help us safeguard our information online.

Below are several of the best practices that you can follow to protect your information online:

Use strong and unique passwords for different accounts and devices. A strong password should be at least twelve characters long, include a mix of letters, numbers, and symbols, and avoid common words or phrases. A password should not be reused with multiple accounts or devices, as this can increase the risk of hacking all the accounts using the same password.

Use two-factor authentication (2FA) whenever possible. 2FA is a security feature that requires an additional verification step, such as a code sent to a phone, app, or email, a set of security questions only you know the answer to, or a biometric scan to access an account or device. 2FA can prevent unauthorized access even if the password is compromised or stolen.

Be careful about what you share online and who you share it with. Avoid posting or sending sensitive information, such as personal details, financial information, or photos, on social media platforms, messaging apps, or email. You should also check the privacy settings and permissions of the apps and websites they use and limit the amount of data they collect or share with third parties. Set apps to share information only with friends, turn off tracking, and limit apps’ access to location data where possible.

Consider using a VPN (Virtual Private Network). VPN on your tablet, computer, or phone encrypts your internet connection and hides your location from hackers. The VPN connection makes it almost impossible for third parties to track your online activity. Using a VPN application is highly recommended to protect your privacy on public Wi-Fi networks.

Keep your applications, web browsers, and devices updated. You should set applications on your tablet, phone, or computer to update automatically.  I would also recommend checking for updates manually on a regular basis (at least monthly). This includes the operating system of the device, along with web browsers and other apps that connect online. Updates not only fix productivity issues. They provide necessary security updates. Missing updates will leave you vulnerable to threats.

Reject cookies and other trackers when possible. Websites now ask or allow you to set what cookies and information you will allow them to track. Take advantage of this opportunity to reduce the information you share with sites. You can also set your web browser to block cookies and trackers on various websites. Web browsers can also be set to send a “Do Not Track” request to the site to block some of the cookies and other trackers. Not all sites process this request, but it is worthwhile to activate this setting. To learn how to change the tracking management settings in your browser, type in “tracking prevention and the name of the web browser you use (Chrome, Firefox, Edge, Safari, or other browser).”

Install antivirus software. Antivirus software (AV) can detect, quarantine, and\or delete threats that may exploit systems or devices. AV can also warn about malicious websites and provide other services that can help protect your information online such as VPN, scanning for your information on sites that sell information on the dark web, and other features.

Avoid clicking on suspicious links or attachments in emails or messages. Be wary of phishing emails or messages that trick you into revealing personal information or downloading malicious software. Phishing emails or messages may appear from legitimate sources, such as banks, government agencies, or online services. Still, they often have spelling errors, grammatical mistakes, or urgent requests. Always verify the sender’s identity and the authenticity of the link or attachment before clicking on it by contacting the sender through an alternate means. Do not reply directly to the sent message. Look for senders’ information in your contact list or company website.

Consider purchasing identity theft insurance. In today’s environment, it is not a question of if your data will be involved in a data breach but when it will happen. You can purchase identity theft insurance through the same companies that sell your car or homeowners insurance. You can also purchase it through other companies like LifeLock or other Antivirus providers. While it does not protect you from the breach, it will help you recover your identity should your information be used to steal your identity or create loans or large purchases in your name.

Get your yearly free credit report and consider subscribing to one of the three credit monitoring services. You can get your credit reports from one of the three credit monitoring services, Experian, Equifax, and TransUnion, every year for free by going to Annual Credit Report.com and filling out a request.  You may want to consider subscribing to one of these services, which allows you to receive alerts when changes happen to your credit report, lock your credit report, and set fraud alerts to prevent others from opening lines of credit with your information.

14 Apr 2023

Part three Cybersecurity for Small (Micro) Business and Nonprofit Organizations: Striking a Balance

by | posted in: | 0

A Short Guide for Owners and Leaders

Part 1 of this blog described the risks posed to micro businesses and similar-sized nonprofits from a cyberattack, Part 2 outlined a three-prong plan to develop a cybersecurity plan for your organization – starting with identifying the organization’s mission-critical assets and protected third-party data, and assessing your organization’s risk level. This part concludes, by describing the core elements of  an effective cybersecurity plan.

Step Three – Implement a Cybersecurity Plan

The final step of a cybersecurity strategy for your organization is to implement a cybersecurity plan. The specifics of the plan will vary, depending on the outcome of the first two steps discussed in Part 2. However, all organizations will find that their cybersecurity plan must be applied consistently over the long term to afford them maximum protection, and every plan should focus both on mitigating the consequences of a successful cyberattack in addition to preventing one. Finally, the most effective cybersecurity plans recognize that aggressive use of available software technology must be balanced and supplemented with ongoing training.

Password Protection & Data Management

Multifactor Authentication

One of the most obvious risks to your organization is unauthorized use of a password to gain access to your LAN, website, email or internet connected devices. As discussed Part 1, most cybercriminals need access to your network to steal or corrupt your organization’s data or software applications. While this may be is changing, network access is often achieved by providing the correct password, and of course, if the password is stolen, compromised, easily guessed, or left in an unsecure location, your organization is vulnerable.

You can address some of these risks by changing passwords regularly, using complex generated passwords, not using the same password for multiple websites, using a password vault or other policies designed to make it harder for a password to be compromised. However, a more effective solution is to require multifactor authentication for all devices that access your organization’s website or local area network (LAN).

Multifactor authentication requires both a password and a correct response to a challenge sent to another internet-connected device – usually a smart phone — that previously has been registered with the person who is seeking access. Taken together, this should mean that even if the password is hacked, as long as the cybercrook doesn’t have access to the secondary device receiving the challenge, the organization’s LAN or website cannot be accessed even if the cybercrook has discovered the password. Multifactor authentication is available for major email and network services, and it has already become a standard feature for most business and government network security.  Of course, these security efforts are more easily defeated if you or others use easily guessed passwords (e.g., “password”, “password 123”, “12345” etc.) or if they fail to keep their secondary authentication device (smart phone or laptop) secure.  

                Multiple levels of security within the organization and data encryption

A second method to strengthen cybersecurity is to require additional levels of password protection within the organization’s LAN for sensitive PII or mission-critical data. This is likely to become more important as the organization expands and adds employees, volunteers or contractors. Examples of data that might require an additional level of security include employee social security numbers, customer bank or financial account information, and health records. Requiring a second level of password protection to this information is the “digital equivalent” of locking a filing cabinet or desk drawer to discourage intentional or inadvertent access to information that should be limited to a specific group within your organization.

An additional approach that should be taken, particularly if your organization has protected PII financial information is to encrypt sensitive data that is maintained on the organization’s local devices or in the Cloud. Common email services and many operating systems and Cloud based storage products offer the option of encrypting files, folders or even an entire hard drive or network.  Of course, data encryption will protect against unauthorized use or disclosure of the encrypted data only if you have properly protected the password or “encryption key” that is used to de-crypt the data.

                Screen locks and time outs

Laptops, desktops and smart phones and other devices all contain options to “lock” access to the device if it is left unattended for a few minutes. Particularly for mobile devices or for any device used by individuals working in an open office environment, enabling this feature is a simple and highly effective way to guard against unauthorize access to the device.

Minimize and reduce access points to sensitive data.

This might seem obvious, but all things being equal, the more places you store sensitive personal data the greater the likelihood that data will be accessed and compromised in a cyberattack. Having at least one off-site backup of the organization’s critical data and software should be part of an effective overall cybersecurity plan. Yet because of the popularity of automatic Cloud backups of email and computer drives such as Google Drive, Apple’s iCloud drive, Microsoft One Drive, and many others it is not at all uncommon to find that at least some of the organization’s data has been stored in multiple locations and at some point multiple storage sites can greatly complicate the organization’s cybersecurity plan and add unnecessary burdens of maintaining all of the  locations where sensitive PII is stored. As part of your development of a cybersecurity plan, you should consider whether the added benefit of storage of the data — particularly sensitive PII, in multiple locations is worth the risk. While Cloud-based storage is relatively secure, most can be compromised and accessed with a password – or best case – a password and some form of multifactor authentication.

A related point that should be considered is whether your organization is only keeping the sensitive PII that it actually needs. Storing multiple backups that are not regularly monitored, particularly on multiple local devices such as desktop and laptop hard drives can greatly complicate efforts to properly handle sensitive data. For this reason, when you are assessing the need for multiple backup storage for the sensitive PII your organization keeps, you should also develop strategies and procedures for periodically reviewing that data to determine if it can be deleted when no longer needed. 

Promptly Update Software and Applications

No application or software is “hack proof.” Over time, cybercriminals learn new ways to access and plant malware in even the most carefully constructed software. It literally is a “cat and mouse” game played between the software developers and cybercriminals. In recognition of this reality, reputable software companies work hard to identify vulnerabilities in their software and create updates (security patches) to eliminate them. Of course, these security patches work only if they are promptly downloaded and installed on all digitally connected devices that access your network. Therefore a critical part of all good cybersecurity plans is to download and promptly install security patches as they become available. Most software and applications that run on computers and smart phones contain an option either to automatically update the program or at least to provide you notice that a new update is available for installation. Generally, these options should be enabled.     

Web-traffic Encryption – Virtual Private Networks

Information (data) is transmitted over the internet using wires (such as an ethernet or fiberoptic cable) and wirelessly over the air (through your wireless modem or smartphone hotspot). While most data transmission is secured (meaning that the information is encrypted before it is transmitted over the internet), public networks or websites that do not encrypt data allow cybercrooks to easily intercept and “listen in” on the communication. The federal government’s cybersecurity watchdog – CISA – has downplayed the risk of this type of attack.  However, one study conducted in late 2016 found that 28% of the public Wi-Fi “hotspots” (at airports, coffee shops, etc.) were unsecured.

So, how do you tell if you are communicating over an encrypted network? When you navigate to a website, look at the address bar on your website browser.  If it begins with the initials “https” you can be at least somewhat confident that your data is being encrypted as it is transmitted over the internet. However, if it says “http” – the data is not encrypted – and can be intercepted and easily read by anyone unless you take additional steps. Many website browsers will warn you when you are communicating over an unsecure network. As a matter of good cybersecurity practice, these sites should be avoided, particularly if you have not implemented a second level of encryption that is discussed next.

Only accessing sites with the  “https” designation will greatly reduce the risk of a cyberattack using wireless networks. However, it is not foolproof. Unfortunately, even an “encrypted” Wi-Fi connection can be defeated through a process known as SSL Stripping. This involves tricking your computer into removing the encryption protocol, in effect downgrading your communication from “https” to “http,” without your knowledge.

For this reason, if your organization relies on wireless networks or if you and others often work remotely using public Wi-Fi, you may want to consider using virtual private network (VPN) software. VPN software can run on a single local computer, a LAN, or on a digitally connected device such as a tablet or smartphone. Once installed and activated, most VPN software offers two additional levels of protection for internet access.

First, it masks the originating address of the communication, making it difficult for a cybercriminal to determine what network is being accessed by the user. This is done by causing the transmitted data to go from the computer to the VPN provider’s server before it continues on through the internet to the user’s ISP and the destination website. For many, this feature of VPN is most important because it may offer a higher degree of privacy, making it more difficult for websites or government entities to track web browsing activity. 

However, there is a second advantage to a VPN. VPN communications between you and the VPN provider are encrypted. In other words, even if a cybercrook is able to “strip” the “https” encryption, they will only be able to see data that has been encrypted using the VPN program. No technology is completely secure from cybercriminal hacking or “eavesdropping,” but a VPN connection provided by a reputable provider is very secure, and it’s a relatively inexpensive way to guard against this type of cyberattack.

If you decide a VPN is a worthwhile investment, VPN software is offered by a number of private companies, and it is important to pick one that best meets your needs. You will need to do some investigation and find articles that evaluate VPN providers and offer advice on how to pick a provider best suited for your organization’s needs, but keep in mind that some of these articles focus more on privacy (the first advantage of a VPN) rather than your organization’s objective — defeating a cybercrook’s attempt to intercept and read the data being transmitted. For your organization, the primary concern may be the number of servers the VPN provider has and the speed and capacity of those servers. This is important because once the VPN is activated, all of your communication over the internet must pass through your VPN provider’s server. If the provider does not have sufficient network capacity, the speed and reliability of your internet connection will be significantly reduced.

Addressing “Human” Vulnerabilities

It would be nice if you could protect your organization from cybercrooks just by buying additional software. Unfortunately, relying on software at best is just half the solution. The other half is dealing with the “human” side of cybersecurity. The reason is simple: even the most robust software technology can be defeated or rendered useless by bad actors inside the organization, by failing to properly use the cybersecurity software tools that are available, or simply a failure to recognize a cybersecurity attack. This section focuses on ideas for reducing your organization’s human vulnerabilities to a cyberattack.

Background checks for those who access the network.

Obviously, you want your organization to grow and become more successful, but as that happens it becomes more important to know who has access to your connected devices and data. A good cybersecurity plan should include a set procedure that includes conducting background checks on all prospective employees. This should include criminal record checks, credit checks, as well as verification of employment and education. Even if you are the only “employee” in the organization, the same considerations apply to others such as vendors, customers or volunteers who have access to your organization’s network.  Of course your background check may not be as extensive as what you would use if you were evaluating a person for employment, but depending on the nature of the contact, the role the individual or entity will play, and the level of access to your organization’s data, you will want to know enough about the individual’s background to feel reasonably certain they will not put the organization’s data or its connected devices at risk of a cyberattack.

Implement  cybersecurity policies and procedures.

Even if you are a sole proprietor or the “staff of one” in a local nonprofit, it is important to consider and implement common sense policies and procedures to minimize the risk that your organization  will fall victim to a cyberattack. Items to consider include:

  • Setting a schedule to regularly check all critical software for security patches and immediately installing critical security patches when notified by a software provider.
  • Developing a policy to create robust passwords and to regularly change passwords.
  • Avoid loading any personal software or email on a computer or other device connected to the organization’s network.
  • Avoiding use of the organization’s email address for personal communications.
  • Install screen password locks on all of the organization’s desktops, laptops and tablets.

Admittedly not all of these policies will be popular, and like many things in life, you may decide that the level of risk your organization faces does not justify implementing some of them. That of course is up to you as leader of the organization. However, before making any final decision, consider whether some or all of these steps may be mandated by clients, customers or suppliers with whom you are dealing.

Educate yourself and everyone who has access to the organization’s digital resources.

Hopefully one of the things you have learned from this blog is that the cyberattacks on businesses, organizations and government have continued to evolve to counter efforts to make software and networks less prone to attack. This will certainly continue. For that reason it is important that you commit to remain up to date on evolving cyber security risks. Fortunately there are a number of resources available to assist in that task. Two are listed below:

You also should consider ongoing training and reminders for employees or others who regularly access your network. Here you might want to use resources developed specifically for that purpose:

Develop a Cyberattack Recovery Plan

You may find this part to be discouraging. After all, if you have taken all of the previous steps to protect your organization from a cyberattack, it’s sobering to think that your  still aren’t protected. Of course, that’s not true. By implementing the previous steps you will have made it much more difficult for a cybercrook to access, disable your network, or steal data. However, just as the best physical security and alarm systems don’t provide 100% protection against the risk of theft or loss, even the best cybersecurity strategies can – and are – defeated each day. Just as you take steps to deal with that reality for your physical assets, it’s important to consider how to deal with a successful cybersecurity attack as well. Here are three ideas you should consider.

Offsite Secure Backups

Earlier, in developing your cybersecurity plan you identified the “critical” data and applications that were needed to operate your organization. As part of your Plan, you need to arrange for these critical items to be regularly backed up, and securely stored in a safe location. How often you decide to back up the data will vary, but obviously data that is added after the backup likely will not recoverable, so it may make sense to back up daily or at least weekly.

Nearly all major software providers offer the ability to backup data to remote “Cloud-based” servers. Some providers offer the ability to automatically back-up data on an hourly, daily or weekly basis, together with the option of accessing earlier backup versions. This last feature can be useful if you are concerned that an “infected” file may have been downloaded onto your network or computer prior to your last backup. Of course, there is always a possibility that your automatic backup system may not initiate for some reason, and as part of your  Plan, you will want to periodically check to make sure the backups are occurring  as expected, and that they can be accessed.

Develop a strategy to notify third parties of a cyberattack.     

This step is most relevant for organizations that maintain sensitive PII (described earlier in Part 2), that have an ethical obligation (such as an attorney) to maintain confidentiality of client data, or that have entered into a contract to maintain the confidentiality of third-party data. Organizations in these situations need to consider and include in their plan, a procedure to document and update where third-party data is stored, and a method to easily identify businesses or individuals that need to receive notice of a cyberattack.

Consider cybersecurity insurance.

It’s probably apparent at this point that a successful cyberattack might be an expensive proposition for your organization, not only from lost revenue but from third party claims for collateral damages as well. You likely insure against the risk of loss of your organization’s physical assets, so it may occur to you that insurance against losses from a cyberattack might be a good idea as well.

Many companies offer insurance policies for some losses incurred in a cyberattack, and for some organizations insurance can be part of a comprehensive cybersecurity plan, however cybersecurity insurance may not be appropriate for all organizations, and as part of preparing the plan for your organization, you need to carefully consider the pros and cons before purchasing a cybersecurity insurance policy.

Cybersecurity insurance generally will insure your organization against some losses arising from interruptions to normal operations, the cost of notifying third parties of cybersecurity attacks, and the cost of defending lawsuits from third parties for damages arising from the event. However, these policies typically will not insure against losses arising from damage occurring from criminal activities by your employees or for the loss of physical or intellectual property resulting from a cyberattack. 

You can begin determining whether cybersecurity insurance is right for your organization by talking with your insurance agent. Generally organizations that store significant amounts of third-party personal information and those most at risk from business or operational interruption in the event their network is compromised, will find cybersecurity insurance to be most useful.  However, cybersecurity insurance is NOT a substitute for a good cybersecurity plan. Be aware that if you decide to purchase a policy, you can expect the insurance provider to demand that you institute the policies and procedures outlined in this blog as a condition for providing coverage. In other words, cybersecurity insurance provides an additional level of financial protection, but only after you have implemented a good cybersecurity plan.

Cybersecurity – Is It Worth the Effort?

These three blogs have outlined the risks to your organization of a cyberattack and outlined the steps you should take to implement a cybersecurity plan to defend against an attack. Operating a business or nonprofit on a shoestring budget is extremely challenging and requires leaders to constantly set priorities and trade-offs. Success often depends on not letting “perfect be the enemy of good enough,” and the amount of time and effort organizations need to put into their cybersecurity plan will vary. However, it is not an exaggeration to say that every organization needs to do something. You can confirm that by simply imagining how your organization could operate if your network, records, computers and even your phone all stopped working. Unfortunately even for very small organizations the risk of an attack is significant, and the consequences of being unprepared likely will be  catastrophic. While it is not possible to completely secure your digital assets, the steps outlined, can significantly reduce that risk, and mitigate the damage in the event of a successful attack. For that reason, even for the smallest business or nonprofit, it’s worth the effort to implement an appropriate cybersecurity plan. 

12 Apr 2023

Part Two Cybersecurity for Small (Micro) Business and Nonprofit Organizations: Striking a Balance –

by | posted in: | 0

A Short Guide for Owners and Leaders

Part One of this Blog explained the risks your organization faces from a cyberattack, describing the most common objectives and the primary ways cybercrooks attack microbusinesses and similarly sized nonprofits. You learned that successful cyberattacks often involve tactics that are designed to deceive, along with sophisticated malicious software, and that potentially any device that connects to the internet, or to your local area network (LAN) could be an entry point for a cyberattack.

While the risks posed to your organization by cybercrooks are real, and no solution will be 100% effective, there are several things you can do to greatly limit the risk posed by cyberattacks. The objective of this blog and the next one is to describe a strategy you can use to secure your organization against a cyberattack, and help you mitigate the damage done even if an attack is successful.

There are many good educational resources available online that provide specific guidance to assist in understanding how to spot a cyberattack and more are being developed all the time. Examples include the resources offered by the  U.S. Small Business Administration, the Federal Communications Commission and the Missouri Cyber Security Office as well as commercial software providers, such as Microsoft .   In addition, resources published by PCI Securities Standards Council, the organization that works to secure the processing of credit and debit card payments, can help you identify ways to reduce this significant area of risk for many microbusinesses and nonprofits.

These tools and resources will be essential in implementing a comprehensive strategy for cybersecurity. However, implementing and using them effectively requires that you develop a comprehensive strategy that is tailored to address your organization’s unique vulnerabilities. The next two parts will describe one process you can follow to develop an effective strategy.  Doing this will help you use the available tools and resources more effectively and make the most of these resources. By taking this approach, you’ll be able to better use the available tools and resources to address your organization’s cyber security needs and risks.

Part 2 –Developing  a Cybersecurity Plan for Your Organization – Beginning the Process

Given the number of cybercrooks out there, and the many strategies used to carry out an attack, the task of securing your organization may seem daunting, and it is easy to become overwhelmed. One way to keep yourself on track, is to break down the plan for securing your organization into three steps: Identify Critical Data; Assess Your Risk Level; and finally, Implement an Ongoing Cybersecurity Strategy.

Part 2 of this Blog addresses how to identify your organization’s critical data and assess your primary risks and vulnerability to a cyberattack. In Part 3, will discuss how to use this information to  implement an effective cybersecurity plan that is tailored to your organization.

Step one – Identify Critical Data

This step may seem unnecessary, but overlooking it could sabotage your efforts to create an effective plan or cause you to spend far more time than is warranted working on issues that really do not constitute a substantial threat to the organization. The reason is simple; in order to mount an effective defense against a cyberattack, you must first know what data and applications need to be secured. For this reason, your first step in developing an effective cybersecurity plan is to evaluate your situation with by asking two questions: First, what data and software are “mission critical” to the organization? and second, what “third-party data” do we store and retain that must be protected? Taking this this step is critical because leaders of microbusinesses and similarly sized nonprofits simply do not have the luxury of unlimited staff and resources. They must focus their cybersecurity efforts on what is most important based on their unique situation.

Identify “Mission Critical” Information and Software Applications

Identifying what is “mission critical” to your organization requires a little bit of imagination, as well as some investigation. A good way to start is to imagine what would happen if you discovered one morning that your entire organization had been subject to a successful ransomware attack. You have just grabbed a cup of coffee, turned on your desktop or laptop, and were faced with this screen: 

This Photo by Unknown Author is licensed under CC BY-NC-ND

You open your smartphone and tablet and find that they have the same message! This means you can’t access your documents, such as Word and Excel Templates, customer lists, records and forms. Access to everything saved to a computer or stored online has been blocked. You really panic when you attempt to access your company email account and discover that it has also been hacked and the password has been changed! 

Now, ask yourself, what information (data) is critical to the operation of your organization over the next day, the next week, and the next month? What “software” (apps, programs and applications) do you use daily to generate forms, invoices and correspondence in your organization. This likely would include things like customer lists, templated, custom business software, and a variety of transaction records. You’ll likely decide that some data and applications truly are “mission critical” (things you simply cannot operate at all without immediate access) while others you could work-around for at least some period of time.

One point to remember though, is that your list likely will be different than that which another organization would prepare. For example, an architect or engineer’s ability to access work it performed for a client five or ten years ago, may be the most important competitive advantage they have to gain repeat business for improvements or modifications to a project. On the other hand, that same data maybe simply taking up space on another business’ computer hard drive.

Identify protected third-party Information.

Once you have identified data and information critical to your organizations operation you then need to determine what data your organization maintains relates to third parties (customers, suppliers, employees and independent contractors). The previous blog described ways cybercrooks use personal information to compromise computer networks and rob innocent third parties. For that reason, you need to identify data you have retained that could be exploited in a cyberattack to injure these third parties.

This third-party data is often referred to as personally identifiable information (PII). The Department of Homeland Security defines PII as any information that permits the identity of an individual to be directly or indirectly inferred. Sensitive PII includes social security numbers, driver’s license numbers, alien registration numbers, financial account and medical records, biometric data, or an individual’s criminal record.

Of course, it is important to identify what sensitive PII your organization has to protect others against losses from a malicious cyberattack. However, It also is important for your organization to do this because most every state has enacted laws mandating disclosure to these third parties if your organization is the victim of a cyberattack that likely resulted in the disclosure of sensitive PII to a cybercrook. Missouri’s statute can be found here.

In addition, there are laws and regulations that impose requirements on specific industries, such as finance and health care, and these will vary, but the risk to your organization is much the same: a failure to safeguard this third party sensitive PII may lead to its disclosure, and in turn to a successful attack directed against the third party. To protect these individuals, your organization will need to notify them of the attack. Depending on the amount of information involved, this could be quite expensive and time-consuming. It almost certainly will damage your organization’s reputation.

While you may be able to quickly identify the type of sensitive PII your organization retains, determining where that information is located and stored can be a challenge. Most organizations have multiple devices (computers, tablets, servers, smartphones and others) that store the data locally. In addition, this information often also is stored remotely on devices maintained by third parties, in what has come to be known as “the Cloud.”  Since data backups to the Cloud can be initiated automatically, you may find that there are multiple copies of sensitive information stored in multiple locations. Depending on your organization’s size – and most importantly whether it likely receives, maintains and stores sensitive PII, you may want to look into using specialized software that is designed to search out various locations to identify where your organization has stored sensitive PII, both on local devices and in the Cloud.

Step Two – Assess Your Risk Level

Once you have identified “mission critical” information and applications and the sensitive PII your organization holds, you can move to the second step of your cybersecurity strategy, assessing how well this information and applications are protected from a cyberattack. Since a cyberattack is most likely to be launched by someone who is accessing the internet, a good way to begin is by examining how your organization interacts with the internet.

Inventory internet-connected devices

One place to start this effort is to catalogue the devices that can access the internet. Of course, this will include desktops, laptops and tablets and smartphones owns and maintains. However, that may only be the first step, and it may not include your most vulnerable access points for a cyberattack.  For example, you or your employees may access the organization’s LAN remotely from a home computer, smart phone or tablet. You may also have granted customers, patrons or suppliers’ special access your network resources. Each of these is a potential “point of access” to a cyberattack. As you develop an appropriate cybersecurity plan in Part 3 of this blog, you will need to take these devices and entry points into account as well as your LAN and the devices that are attached to it.

Addressing customer credit or debit card payment information

Most businesses and nonprofits must be able to seamlessly accept payments and/or donations with a credit or debit card. However, it is very important to understand what responsibilities your organization has assumed through its credit or debit card payment arrangements, and how that risk can vary depending on how the organization has structured its payment receipt system.

In 2004, the major payment card companies created the “Payment Card Industry — Data Security System”` – usually referred to as “PCI DSS.” The PCI DSS establishes industry standards for businesses and organizations that accept, transmit or store payment card information. This is not a federal or state law although as previously discussed, separate federal or state laws or regulations may require disclosure and create liability issues for your organization if  PII is compromised in a cyberattack. Data Security Standards for PCI compliance vary depending on the payment brand (Visa, Mastercard, American Express, etc.) and the number and size of credit or payment card transactions. An organization that is not PCI compliant may lose the right to accept credit or payment card payments and, more importantly, face very substantial fines and penalties.

That said, most PCI compliance obligations are triggered only if the organization handles, transmits or stores credit or debit card information its network. Fortunately, most small organizations can avoid many of the ongoing requirements to remain PCI compliant, and still offer customers or donors the convenience of using credit and debit cards by using a payment card processor company. In a payment transaction these companies act as an “intermediary.” Once the transaction is initiated, the exchange of protected information (PII) is conducted on the processor’s network rather than the organization. The processor takes the payment card information directly from the customer and credits the organization’s account with the appropriate payment. Since the processor’s network handles the mechanics of the payment processing and stores that information as needed, the organization does not handle, transmit or store any protected data relevant to the transaction.

Of course, if your organization collects or stores payment data by some other means, such as requesting it directly from the customer or donor, that short-circuits the protection afforded by using the payment processor. It then must handle  and secure the sensitive PII in accordance with the PCI DSS standards, and it potentially could be subject to significant economic fines and penalties if the sensitive PII it has stored is compromised through a cyberattack. For these reasons, organizations will want to be extremely cautious about collecting and storing any payment card information. 

Cybersecurity and your organization’s website

Your organization almost certainly has some sort of “online presence” whether it is through a commercial website provider or just a page on a social media site. As with other aspects of cyber security, your organization’s risk of a cyberattack will vary, and will depend in large part on the level of access offered to the public through the website. Additionally, in cases of a ransomware attack, the extent to which your organization relies on its website to maintain day-to-day operations will be important in assessing the extent to which the cybersecurity plan for the organization needs to focus on website cybersecurity. As a general rule, if your organization has a website, you’ll want to spend time understanding the cybersecurity risks associated with the site, even if you rely on a third party to prepare and maintain it for your organization.

The risk of a successful cyberattack through your website can depends in part on the software and cybersecurity tools used by the company that hosts that site for your organizations. Websites that regularly update security software are at less risk. However, if your website permits customers or users to upload any files or documents onto the site, you will need to be particularly diligent to ensure that those files are screened for malware, as this feature presents the potential for any cybercrook to launch a malicious attack on the website. Additionally, if your website provider provides options to accept payment cards you’ll need to assess whether it is PCI DSS compliant.

The Final Step

Now that you have learned what a cyberattack is, how it is implemented, determined what data and applications your organization needs to protect, and reviewed your organization’s unique risk profile, you are ready to focus on ways to protect your organization. This is the focus of Part 3 of this Blog.