Advancements in technology are occurring at an increasingly dizzying pace. New technologies emerge to join the ranks alongside ‘new and improved’ functionalities of existing ones—and all the while, increased adoption of these technologies has led to an exponential growth of data breaches. Here’s something that puts the issue into perspective whether you’re reading this in your office, sitting in a traffic jam, on a plane, or at home with your family. Look to your left and see one person. Then look to your right and see two others. By the law of averages, one of those three people experienced a compromise of their personal information in the U.S. within the past year.

Threats come in many forms, from many directions

As technology becomes more intertwined with the fabric of our everyday lives, cybercrime has grown into an estimated $600 billion industry worldwide. With every new functionality, feature and access port to technology comes with new opportunities for cyberthieves and hackers to enter and corrupt networks. 

Some of the most common types of attacks are:

• Hacking/Malware: Malicious software including spyware, ransomware, viruses and worms
• Phishing: The sending of fraudulent communications that appear to come from a reputable source, typically via email
• Man-In-The-Middle (MitM) Attacks (AKA Eavesdropping Attacks): Occur when attackers insert themselves into a two-party transaction, most commonly through unsecure public Wi-Fi networks or malware
• Denial-of-Service Attacks: Flooding systems, servers or networks with traffic to exhaust resources or bandwidth, leading to a fulfillment disruption of legitimate requests
• Structured Query Language (SQL) Injection: Occurs when an attacker inserts malicious code into a server that uses SQL and forces it to reveal proprietary information
• Zero-Day Exploit: Hits after a network vulnerability is announced but before a solution is implemented

With these security threats hitting all industries, a dynamic cybersecurity strategy is a prerequisite for a company to protect itself.

Here are five quick but helpful tips to keep your IT safe in the New Year:

Tip No. 1: Implement a cybersecurity training program.

In its survey of over 1,000 small business owners and C-level executives, Information security company Shred-It’s 2018 State of the Industry Report found that 47% identified human error (such as unintentional loss of a device or document, leaving a device unlocked while unattended, etc.) as the catalyst of a cybersecurity breach at their organization. Furthermore, the Ponemon Institute reports that two out of three threat incidents are caused by employee or contractor mistakes. This evidence clearly indicates a disconnect between where employees currently sit in their grasp of secure technology practices and where they should be. 

In 2020, make it a priority to integrate a cybersecurity awareness and training program into your organization processes. Here are some ideas for protocol implementation:

• Create a policy about the use of personal email accounts and social media platforms on work devices.
• Hold quarterly training seminars for recognizing threat indicators, app installs and updates, and Virtual Private Network (VPN) setup and usage when working remotely.
• Make any training programs a core part of your onboarding program for new employees.
• Bring in guest cybersecurity speakers and instructors for lunch & learns (contact TEC if you’d like to discuss, as we hold many of these).
• Schedule regular data access audits to ensure that the right employees have appropriate access to information, and that ex-employees who longer work at your company don’t have access.

Tip no. 2: Get a firewall solution that protects your entire network

Here are some questions to ask yourself regarding your business’ firewall:

• How effectively does your firewall monitor your network’s incoming and outgoing traffic?
• How well does it prevent viruses and other threatening intrusions?
• Does your firewall properly manage bandwidth so that your network can operate at peak performance?
• Do the identity and access management protocols consistently weed the bad users out?

Your network’s firewall is the dataflow and coverage epicenter of your IT. It needs constant monitoring to ensure that your entire network is both efficient and secure against advanced threats.

Cyberattackers are getting smarter every day, and your firewall needs to have every network entry point protected. 

Tip no. 3: Make sure your employees are protected, regardless of where they’re located or connecting

In TEC’s October 2018 Collaboration in Workplaces blog, we dove into the shifting of workplace dynamics from only office headquarters to a structure involving multiple satellite/home locations, employees with non-traditional hours, and more mobile and remote workspaces—all requiring real-time connectivity on a multitude of devices including computer workstations, laptops, phones, and tablets. Protecting your information everywhere your employees go on your network becomes exponentially more difficult when they’re connecting in a myriad of places, on an increasing number of devices. Will your cybersecurity setup protect against a data intrusion over an unsecured Wi-Fi network at the local coffee shop? At an airport gate? In an employee’s hotel room while traveling on business? While answering emails at their child’s soccer practice?

Not knowing the answers to these questions leaves a huge gap in your cyberdefense…and creates opportunities for breachers to leverage a singular entrypoint to create havoc for your entire organization.

Tip no. 4: Be more diligent in conducting ongoing internal threat tests

TEC can help train your employees to identify cyberthreats that attempt to access your network via their endpoints. Regular phishing simulation tests are a turnkey way to test the effectiveness and recognition of phishing attempts. Such attempts (which are becoming more sophisticated, especially with the explosion of social media platforms) can be successfully stifled using a variety of approaches.

Additionally, penetration tests—more commonly referred to as ‘pen’ tests—should be a dedicated part of your company’s continuing cybersecurity plan. A planned simulated attack on a system using the same tools and techniques that a cyberthief would, it reveals the strengths and vulnerability points in a cyberdefense plan. Such tests should be performed at least quarterly to maintain optimal security levels. The Payment Card Industry Data Security Standard mandates a regular testing schedule, including immediately after any system changes or upgrades.

Tip no. 5: Consider using single sign-on or multi-factor authentication to buoy password security

Look into the advantages of Single Sign-On (SSO) and Multi-Factor Authentication (MFA) resources, which exist for this express purpose. SSOs leverage other trusted sites to verify users’ identities, then allows them access with a single ID and password (which, because they are verified by other trusted sites, are not held in that site’s database). MFAs grants the user access to a network only after successfully presenting two (or more) pieces of evidence from among:

• Something they know (i.e. a password);
• Something they have (i.e. an access card, chip, etc.); and
• Something they are (i.e. fingerprint, voice, etc.).

Duo Security is an example of an effective, easy-to-use and affordable SSO/MFA solution that can significantly reduce your risk of a user-generated data breach.

Cyberattacks do not happen in a vacuum; many variables come into play at every turn—on both the attacker and target sides—that make the dynamic a living, breathing organism that morphs with every advancement in technology. Therefore, it is critical to combat threats with a steady, ongoing campaign to ensure you’re never caught with your guard down.

TEC Communications is a Cleveland-based Cisco Premier Certified Partner – in fact, the first Cisco technology partner in Northern Ohio – and trusted IT solutions provider celebrating its 40^th Anniversary in 2019. Go to http://www.tec4it.com or call us at 440.333.5903 to find out how TEC Communications can help you identify, combat and prevent attacks on your sensitive data.

Frank Keogh is a systems engineer, specializing in network consulting for LAN, WAN, cybersecurity and data center/hyperconvergence. Credentials? Plenty. CCNA, CCDA, CCNP, CCSP, VCP5-DCV

In the first of this two-part series brought to you by staff from the FTC’s East Central Region, we discussed the first five lessons to protecting your company against vulnerabilities in data security. In part two, we round out the top ten lessons, distilled from over 50 law enforcement actions brought by the FTC. 

Lesson No. 6: Secure remote access to your network

Business doesn’t just happen in the office. While a mobile workforce can increase productivity, it also can pose new security challenges. If you give employees, clients or service providers remote access to your network, have you taken steps to secure those access points?  

Ensure endpoint security

Just as a chain is only as strong as its weakest link, your network security is only as strong as the weakest security on a computer with remote access to it. Take care to ensure that computers with remote access to your network, including those with remote login accounts or access through an online portal, have appropriate endpoint security, including firewalls and updated antivirus software.

Put sensible access limits in place

Not everyone who might occasionally need to get on your network should have an all-access, backstage pass. That’s why it’s wise to limit access to what’s needed to get the job done, including adequately restricting third-party access to your network. Consider placing limits on third-party access to your network—for example, by restricting connections to specified IP addresses or granting temporary, limited access.

Lesson No. 7: Apply sound security practices when developing new products

So you have a great new app or innovative software on the drawing board. Early in the development process, think through how customers will likely use the product. If they’ll be storing or sending sensitive information, is your product up to the task of handling that data securely?

Train your engineers in secure coding

Have you explained to your developers the need to keep security at the forefront? The FTC has alleged in several cases that companies failed to train their employees in secure coding practices, leading to questionable design decisions, including the introduction of vulnerabilities into the software. For example, the FTC alleged that one company failed to implement readily available secure communications mechanisms in the logging applications it pre-installed on its mobile devices. As a result, malicious third-party apps could communicate with the logging applications, placing consumers’ text messages, location data and other sensitive information at risk. The company could have reduced the risk of vulnerabilities like that by adequately training its engineers in secure coding practices.

Follow platform guidelines for security

When it comes to security, there may not be a need to reinvent the wheel. Sometimes the wisest course is to listen to the experts. The FTC alleged in three actions that companies failed to follow explicit platform guidelines about secure development practices, by, for instance, turning off a critical process known as SSL certificate validation in their mobile apps, leaving the sensitive information consumers transmitted through those apps open to interception through man-in-the-middle attacks. This vulnerability could have been prevented by following the iOS and Android guidelines for developers, which explicitly warn against turning off SSL certificate validation.

Verify that privacy and security features work

If your software offers a privacy or security feature, verify that the feature works as advertised.

Test for common vulnerabilities

There is no way to anticipate every threat, but some vulnerabilities are commonly known and reasonably foreseeable. In more than a dozen FTC cases, businesses failed to adequately assess their applications for well-known vulnerabilities like those identified by the Open Web Application Security Project (OWASP).

Lesson No. 8: Make sure your service providers implement reasonable security measures

When it comes to security, keep a watchful eye on your service providers—for example, companies you hire to process personal information collected from customers or to develop apps. Before hiring someone, be candid about your security expectations. Take reasonable steps to select providers able to implement appropriate security measures and monitor that they’re meeting your requirements.

Put it in writing

Insist that appropriate security standards are part of your contracts. Businesses can include contract provisions that require service providers to adopt reasonable security precautions—for  example, encryption.

Verify compliance

Asking questions and following up with the service provider can help ensure that the service provider is performing in a manner consistent with your privacy and security policies and the terms in the contract designed to protect consumer information.

Lesson No. 9: Put procedures in place to keep your security current and address vulnerabilities that may arise

Securing your software and networks isn’t a one-and-done deal. It’s an ongoing process that requires you to keep your guard up.

Update and patch third-party software

Outdated software undermines security. The solution is to update it regularly and implement third-party patches.  

Heed credible security warnings and move quickly to fix them

Have an effective process in place to receive and quickly address security vulnerability reports.  Consider a clearly publicized and effective channel (for example, a dedicated email address like security(@)yourcompany.com) for receiving reports and flagging them for your security staff.

Lesson No. 10: Secure paper, physical media and devices

Network security is a critical consideration, but many of the same lessons apply to paperwork and physical media like hard drives, laptops, flash drives and disks.

Securely store sensitive files

If it’s necessary to retain important paperwork, take steps to keep it secure. Storing sensitive consumer information in boxes in a garage or leaving faxed documents that include consumers’ personal information in an open and easily accessible area are both situations that the FTC has alleged increased the risk to companies’ customers.

Protect devices that process personal information

Securing information stored on your network won’t protect your customers if the data has already been stolen through the device that collects it. Attacks targeting point-of-sale devices are now common and well-known, and businesses should take reasonable steps to protect such devices from compromise.

Keep safety standards in place when data is en route

Businesses can reduce the risk to consumers’ personal information by implementing reasonable security policies when data is en route. For example, when sending files, drives, disks, etc., use a mailing method that lets you track where the package is. Limit the instances when employees need to be out and about with sensitive data in their possession. But when there’s a legitimate business need to travel with confidential information, employees should keep it out of sight and under lock and key whenever possible.

Dispose of sensitive data securely

Companies can reduce the risk to consumers’ personal information by shredding, burning or pulverizing documents to make them unreadable and by using available technology to wipe devices that aren’t in use.

Looking for more information?

The FTC’s Business Center has a Data Security section with an up-to-date listing of relevant cases and other free resources

The FTC works to prevent fraudulent, deceptive and unfair business practices in the marketplace and to provide information to help consumers spot, stop and avoid them. You can file a complaint online at www.ftc.gov/complaint or by telephone at 1-877-FTC-HELP (1-877-382-4357). 

Digital collaboration is supposed to make work easier, right? But if the tools that are supposed to make working together simple don’t actually boost productivity and efficiency, what’s the point?

About 88% of CEOs believe digital technologies are creating high value in operational efficiency. In order to have the operational efficiency, you need the right collaboration tools. Here are five things that are crucial for a successful digital workplace.

Must-have No. 1: Connectivity

Employees need the flexibility to choose the most effective way to access business applications wherever they work and whatever device they work on. About 77% of millennials wish to have greater mobile connectivity from their employers. Make sure you are able to give them that option and flexibility.

• RELATED: Read these 13 ways to retain millennial workers.

Must-have No. 2: The right tools, with the right results

People can do amazing things whether they’re in the office, on the road or on the couch. Give them the power to create, edit, view and work together in real time. Once you do, you can then get ready to be amazed at the results. About 91% of employees believe digital technology can transform the way they work for the better. Make sure you’re empowering your employees with the best tools available.

Must-have No. 3: Video collaboration

What do you do when people can’t meet in person, and email or a phone call won’t cut it? You use HD video conferencing, wherever you are, and tie in content sharing to make communication easier, build trust, and do away with errors, that’s what.

Must-have No. 4: The ability to make wise choices

You really have to get your digital plan right. Even small gaps are big deals. Trends like bring your own device (BYOD), video conferencing, and cloud-based apps may be monster-sized asks for your network that you cannot afford to miss.

• RELATED: Is BYOD a good idea for your employees?

Be sure you can:

• Handle business-quality video conferencing.

• Provide private and public cloud access.

• Deal with sophisticated productivity and collaboration apps.

• Manage security across multiple locations and types of devices.

Must-have No. 5: Security

The digital world keeps getting more complex. As it does, security faces more challenges. With trends like cloud computing, social media and expanding mobility needs, lacking the right protection can leave opportunities for attackers to get in.

• RELATED: Protect yourself by reading this ransomware story.

Strengthen your network security when you:

• See more with global threat intelligence.

• Stop threats before, during and after an attack.

• Automate security across physical, virtual and cloud to reduce complexity.

TEC Communications is proud to be the first Cisco partner in Ohio. We can help you revolutionize the way you get business done anywhere, anytime with a simple, secure, complete, all-in-one business communications service. Empower your employees with the best collaboration tool available. What can provide all of that? Cisco Webex Teams brings the 5 must-haves together for an effective collaboration tool that boosts productivity. Contact us at www.tec4it.com to learn more.

So, give us some background on e2b teknologies: When did you get started, core markets, key products/services, headcount, etc.?

e2b teknologies was founded in 2001 by several former Sage Software and Haitek Solutions employees but traces its roots to the original company - Haitek Solutions, which was formed in the early 1990s as a software development and business applications reseller. Our heritage has long-since been tied to business application development with literally decades of experience implementing, developing, and integrating business applications. Today, e2b teknologies is a business software developer and ERP consulting, reseller, and custom development company specializing in accounting and business applications for wholesale distribution, manufacturing, and service management organizations. Our product offering includes Epicor ERP, Sage 100 ERP, Sage 500 ERP, Sage ERP X3, Sage CRM, and other extended solutions.

e2b teknologies also develops complimentary business applications including Anytime Collect accounts receivable management software which was a finalist for the 2015 OHTec Best Software Product Award, Anytime Commerce B2B e-commerce platform, Anytime Docs documents management software, Anytime 500 manufacturing and distribution add-ons for Sage 500 ERP, and others.

e2b calibration is another business unit in the e2b teknologies family. It is an ISO/IEC 17025 accredited calibration and repair laboratory providing a full scope of services (traceable to NIST) for most popular calibration, test, and measurement instruments services.

Where have you seen the strongest growth for the company in the past few years? 

We’ve seen growth throughout our business over the last few years. The calibration lab continues to be hugely successful as it has seen consistent growth in both customer count and revenue; Our ERP sales consulting, and development practice continues to thrive as we further diversify our product offering and our team has earned a number of publisher and media accolades for excellence in ERP sales and services.

Of all the success we have seen, the growth of our accounts receivable management software, Anytime Collect, has been very impressive. Anytime Collect is a cloud-based accounts receivable management software that helps companies get paid faster and easier through automation and management of the entire accounts receivable process.

Sales of Anytime Collect have grown significantly year-over-year for the past five consecutive years and we expect the trend to continue throughout 2015 and beyond. This explosive growth can be attributed to a number of factors including the expansion of our private-label relationships, a growing number of international partners, software translations into different languages, and the fact that it’s available in three editions for different segments of the market; from small to large companies.

Where do you see growth opportunities going forward?

No one truly knows what’s ahead, but all signs point to cloud software becoming the standard in the near future. We expect that most of the new and innovative business applications developed in the next 5 years will be cloud-based and that cloud applications will soon rival on-premise applications in performance and overall total cost of ownership.

Thankfully our ERP partners have risen to the challenge and provide us with competitive solutions available for traditional on-premise installations as well as new hosted cloud-based offerings. As for the products we develop, like Anytime Collect, we are equally committed to giving our customers and prospects options when it comes to deployment.

Regardless of where the market goes or the growth we see, we will not stop innovating and we will never lose our focus on why we’re in business – to help our customers to enable technology to effectively manage every aspect of their business so they have the insight they need to make critical decisions, to build better products, to provide better services, and to exceed their customer expectations in everything that they do.

What are some key trends you’re seeing among your customers and their uses of technology?

Cloud ERP continues to be a hot topic and it’s something our customers and prospects ask us about all the time. We work with a lot of manufacturers and they’re typically more hesitant to make the move to the cloud, but they’re getting curious and we’ve seen an increase in the number of customers who wind up going the cloud ERP route than in years past.

Tell us about some of the unique aspects and cool elements of e2b.

e2b teknologies is a company built around people and we don’t just say it, we mean it. We value every relationship both inside and outside of our office walls and strive to exceed customer expectations in all aspects of our business – sales, consulting, engineering, support, and finance. Perhaps that’s why so many of our teammates have worked together across two decades (or maybe it’s because the company comes together every Friday morning to cook and eat breakfast together!).  

We are very proud of our team but we are even more proud of the success we’ve shared with our customers as they’ve grown through their implementations to fully utilize their business systems to manage and grow their own businesses.

Longtime member, Pantek, Inc., was recently acquired by a group of seasoned tech entrepreneurs, including Michael Fischer, Tony Pietrocola, John Farrall, and Michael DeAloia. 

Pantek, a former OHTec Best of Tech Finalist, has gained a lot of traction recently and the new ownership sees solid potential for growth at the company. We spent some time at their offices recently to learn a little more about their plans.

OHTec: Congrats on the purchase, that’s very exciting. Can you give us a little more detail on the company:  year founded, core services, primary markets, etc.?

Pantek: Pantek was founded in 1995 to provide comprehensive IT services to companies who utilize Linux and other Open Source technologies. Pantek’s core services are consulting and support for Linux and open source technologies, managed services for open source systems, and hosting. Pantek has clients in all 50 states and in 35 countries around the world. In fact, our revenue from clients in Northeast Ohio is actually less than 5%.

OHTec: How did the investor group come together? What are your backgrounds?

Pantek: The investor group was formed 18 months ago because we had similar interests in terms of the type of business that we would like to purchase. Our backgrounds were heavy in the tech space and we all appreciated the scalability and stable revenue of the hosting business. We were also looking for a business that truly had a differentiated product/service offering which is hard to find these days.

Mike Fischer is the former CEO and owner of Thinsolutions which he founded in 1997. In 2012 Mike sold the 52 person Thinsolutions to Konica Minolta. Tony Pietrocola previously founded a digital marketing company called Tenth Floor; the Cleveland-based company was sold to Bridgeline Software in 2008. Tony is now running an online lending company in Strongsville called vLoan. Michael DeAloia writes a technology column for The Plain Dealer and Cleveland.com. He previously served as the city of Cleveland’s “tech czar,” a position that involved recruiting tech companies to the city. John Farrall is a partner at Cleveland Research Co., an equity research firm headquartered downtown.

OHTec: What were the top 2-3 areas that made Pantek so attractive for this acquisition?

Pantek: The Linux expertise that Pantek has developed over its 20 years in business has made it one of the premier Linux and Open Source support and hosting companies in the world. If one Googles “Linux tech support,” Pantek commonly only trails Linux.com itself in the organic rankings. 

The hosting market is commoditized and most small hosting companies are having to make a difficult shift from pure infrastructure hosting to more of a managed hosting/software consulting business model where there is a niche or some level of expertise that adds value to the hosting customers. Pantek is in a unique position as it was built first and foremost as a service and support company and therefore the company already understands and excels at consulting and supporting clients at a software support level. Lastly, the hosting infrastructure that is in place at Pantek is top notch and the hosting business can easily be expanded with minimal additional capital costs.

OHTec: Where do you see the top 2-3 opportunities for growth? What kind of growth are you forecasting for the company in the next couple of years?

Pantek:  

1. We are going to do a better job of capitalizing on some existing areas of expertise such as the excellent work we do with a couple of web platforms, namely Wordpress and Magento. We do consulting, development, and managed hosting for these products and we really haven’t been communicating this skill to the overall market. 

2. The investor group was formed with the idea that we would like to grow the business quickly through acquisition and that is still the plan. We are currently aggressively looking to acquire hosting and Managed Service companies and especially those that will offer our current clients a deeper set of products and services. 

3. The Pantek business has been developed to be a premier technical support and hosting business, but the company has an opportunity to grow through a deeper consulting relationship with each of its existing and future clients – we plan to become much more relationship oriented with respect to our clients.

Our current plan is to grow the business significantly within the next few years. This will be accomplished through acquisitions and by organic means of providing more value to our existing clients.

OHTec:  What are your visions for additional acquisitions and mergers to Pantek?

Pantek:  Our plans are to do at least one acquisition per year for the next 5 years. Our intention is to look for businesses that can help further cement the offerings we focus on, such as Linux, Magento and Wordpress, while we will also look to broaden the scope of how we can work with existing clients and prospects.

OHTec Bonus Question:  It’s the Summer of 2016 – who draws more viewers the Cavs winning the NBA Finals or the Republican National Convention?

Pantek: In Cleveland, all eyes will be on LeBron and the gang but nationwide the RNC will hold more total viewers. I would think by then the Republican field should be trimmed from the current list of 20 some hopefuls.  My money is the Cavs winning it all next year. As a long suffering Cleveland sports fan, I will be delighted to witness the championship drought coming to an end. Go CAVS!

Pantek has been innovative in the open source space for quite awhile. It’s exciting to see the company acquired by a local group; hopefully we’ll see more growth leading to additional acquisitions. Good luck!

When managing your network, developing an app or even organizing paper files, sound security is no accident. Companies that consider security from the start assess their options and make reasonable choices based on the nature of their business and the sensitivity of the information involved. Threats to data may transform over time, but the fundamentals of sound security remain constant. As the Federal Trade Commission outlines in Protecting Personal Information: A Guide for Business, you should know what personal information you have in your files and on your computers, and keep only what you need for your business. You should protect the information that you keep, and properly dispose of what you no longer need. And, of course, you should create a plan to respond to security incidents.

There’s another great source of information from the FTC about keeping sensitive data secure: the lessons learned from the more than 50 law enforcement actions the FTC has announced so far. These are settlements—no findings have been made by a court—and the specifics of the orders apply just to those companies, of course. But learning about alleged lapses that led to law enforcement can help your company improve its practices. And most of these alleged practices involve basic, fundamental security missteps. Distilling the facts of those cases down to their essence, staff from the FTC’s East Central Region present in this article five lessons that touch on vulnerabilities that could affect your company, along with practical guidance on how to reduce the risks they pose. 

Lesson No. 1: Start with security

From personal data on employment applications to network files with customers’ credit card numbers, sensitive information pervades many companies. Experts agree that the first step in managing confidential information is to start with security. Factor it into the decisionmaking in every department of your business—personnel, sales, accounting, information technology, etc.  Collecting and maintaining information “just because” is no longer a sound business strategy.  By making conscious choices about the kind of information you collect, how long you keep it, and who can access it, you can reduce the risk of a data compromise down the road. Of course, all of those decisions will depend on the nature of your business.  

Lesson No. 2: Control access to data sensibly

Once you’ve decided you have a legitimate business need to hold on to sensitive data, take reasonable steps to keep it secure. Not everyone on your staff needs unrestricted access to your network and the information stored on it. For your network, consider steps such as separate user accounts to limit access to the places where personal data is stored or to control who can use particular databases. For paper files, external drives, disks, etc., an access control could be as simple as a locked file cabinet. Administrative access, which allows a user to make system-wide changes to your system, should be limited to the employees tasked to do that job.

Lesson No. 3 Require secure passwords and authentication

If you have personal information stored on your network, strong authentication procedures— including sensible password “hygiene”—can help ensure that only authorized individuals can access the data.

Insist on complex and unique passwords

“Passwords” like 121212 or qwerty aren’t much better than no passwords at all. That’s why it’s wise to give some thought to the password standards you implement. For example, you can require employees to choose complex passwords and train them not to use the same or similar passwords for both business and personal accounts.

Store passwords securely

Don’t make it easy for interlopers to access passwords. Three of the FTC’s settlements in this area have alleged that:

• The company stored network user credentials in clear, readable text that helped a hacker access customer credit card information on the network;
• The business allowed customers to store user credentials in a vulnerable format in cookies on their computers; and
• A company failed to establish policies that prohibited employees from storing administrative passwords in plain text in personal email accounts.

In each of those cases, the risks could have been reduced if the companies had policies and procedures in place to store credentials securely. Businesses also may want to consider other protections—two-factor authentication, for example—that can help protect against password compromises.

Guard against brute force attacks

Remember that adage about an infinite number of monkeys at an infinite number of typewriters? Hackers use automated programs that perform a similar function. These brute force attacks work by typing endless combinations of characters until hackers luck into someone’s password.  Implementing a policy to suspend or disable accounts after repeated login attempts may help to eliminate the risk from brute force attacks.

Protect against authentication bypass

Locking the front door doesn’t offer much protection if the back door is left open. In one settlement, the FTC charged that a company failed to adequately test its web application for widely-known security flaws, including one called “predictable resource location.” As a result, a hacker could easily predict patterns and manipulate URLs to bypass the web app’s authentication screen and gain unauthorized access to the company’s databases. The company could have improved the security of its authentication mechanism by testing for common vulnerabilities.

Lesson No. 4: Store sensitive personal information securely and protect it during transmission

Use strong cryptography to secure confidential material during storage and through all phases of transmission. The method will depend on the types of information your business collects, how you collect it and how you process it. Given the nature of your business, some possibilities may include Transport Layer Security/Secure Sockets Layer (TLS/SSL) encryption, data-at-rest encryption or an iterative cryptographic hash. Make sure the people you designate to do that job understand how your company uses sensitive data and have the know-how to determine what’s appropriate for each situation. Several companies have unnecessarily risked attacks that could have been prevented if the companies’ implementations of SSL had been properly configured.

When considering what technical standards to follow, keep in mind that experts may have already developed effective standards that can apply to your business, including widely-accepted encryption algorithms. Savvy companies don’t start from scratch when it isn’t necessary and could subject data to significant vulnerabilities if deviating from tried-and true industry-tested and accepted methods for securing data.

Lesson No. 5: Segment your network and monitor who’s trying to get in and out

When designing your network, consider using tools like firewalls to segment your network, thereby limiting access between computers on your network and between your computers and the internet. Another useful safeguard: intrusion detection and prevention tools to monitor your network for malicious activity.

The FTC works to prevent fraudulent, deceptive and unfair business practices in the marketplace and to provide information to help consumers spot, stop and avoid them. You can file a complaint online at www.ftc.gov/complaint or by telephone at 1-877-FTC-HELP (1-877-382-4357).