powerone

IoT Devices Might Not Look Like a Computer, But They Can Be Just as Dangerous

Installing an IoT-ready security camera or outfitting a crucial production system with IoT technology can put a business in harm’s way. Learn about the security risks that IoT devices can pose and how to mitigate those risks.

On October 9, 2018, security researchers at SEC Consult revealed that millions of security cameras and other video surveillance equipment could be easily hijacked by cybercriminals. And just a few days later, numerous PlayStation 4 (PS4) owners reported that their gaming consoles were crashing after receiving a malicious message on them.

These events might seem unrelated, but they are the result of a common problem: inadequate security in devices that connect to the web, which are referred to as Internet of Things (IoT) devices. These devices connect to the Internet so that they can transmit and receive data. In some cases, products have IoT technology built into them, like security cameras and gaming consoles. In other cases, IoT technology is added to existing equipment or systems. For instance, IoT devices can be added to production processes and heating and cooling systems.

Companies are increasingly using IoT devices to monitor and control various elements in their businesses. However, many of them do not realize they need to protect those devices from cyberattacks. That’s because people usually envision computers and smartphones, not security cameras or thermostats, when thinking about cybersecurity.

Businesses taking advantage of IoT devices need to know about the security risks they can pose and how to mitigate those risks.

The Risks

IoT devices often have security vulnerabilities that make them easy targets for hackers. For example, the devices might ship with default passwords that are easy to crack or the manufacturers might issue firmware updates that are easy to spoof.

Sometimes, devices have multiple security issues. This is what the SEC Consult researchers found when they investigated the video surveillance equipment manufactured by Hangzhou Xiongmai Technology. They discovered that the company’s IoT-ready video surveillance devices have several vulnerabilities, many of which are related to a feature called the XMEye P2P Cloud.

Th XMEye feature enables device owners to view video feeds in a web browser or mobile app in real time. To take advantage of it, the owners have to create XMEye accounts. These accounts are riddled with problems, including:

• All new accounts are admin accounts that have the default username of admin with no default password set. Device owners are not prompted to change the default username or add a password during the initial account setup process. Owners who do not change the username and add a password are leaving their accounts wide open to cyberattacks. Besides viewing video streams, hackers would be able to change the device’s configuration and issue firmware updates. Since Hangzhou Xiongmai Technology does not sign its firmware updates, cybercriminals could issue bogus updates that contain malware.
• A second undocumented account exists. The account’s username is default and the password is tluafed (the word “default” spelled backward). Anyone logging in with this undocumented user account can view the device’s video streams.

These vulnerabilities are present in all the security cameras, digital video recorders, and network video recorders manufactured by Hangzhou Xiongmai Technology. However, the manufacturer’s name is not on any of the devices. Hangzhou Xiongmai Technology sells its devices to other companies, which put their logos on the equipment. Thus, people who have these IoT devices might not even realize they are at risk. (You can find a list of the 100+ brand names the devices are sold under on the SEC Consult researchers’ blog.)

Some manufacturers act responsibly and include security measures in their IoT devices. However, even these devices can be risky because of the actions (or inactions) of the device owners. For instance, IoT device owners might create weak account passwords or not install firmware updates. The PS4 incident provides a good example of the latter. Sony quickly released a firmware update to fix the bug that allowed the malicious message to crash the gaming console. However, users who do not have their consoles configured for automatic updates will still be at risk if they fail to manually install this update.

Help Is on the Way

Steps are being taken to address the fact that many IoT devices have security vulnerabilities. For instance, in September 2018, California became the first US state to pass an IoT security law. It mandates that IoT devices manufacturers include reasonable security features that protect the devices and any data contained in them. The law goes into effect on January 1, 2020.

Similarly, in October 2018, the UK government published the finalized “Code of Practice” for IoT security. It contains 13 guidelines for IoT device manufacturers to follow to ensure that their devices are secure by design and compliant with the European Union’s General Data Protection Regulation (GDPR).

How to Protect IoT Devices in the Meantime

Although steps are being taken to encourage IoT device manufacturers to build more secure devices, many IoT devices have been and will continue to be built with no security features in place. If these devices are not secured properly, they can put a company at risk, especially when they are connected to the network that hosts the business’s critical data and applications.

As a result, companies need to secure their IoT devices, just like they secure the computers in their IT environments. A good place to start is to:

• Change each IoT device’s default password to a unique, strong one.
• Disable any features that are not being used in the IoT devices.
• Place the IoT devices behind firewalls so that they do not connect directly to the Internet.
• Isolate IoT devices from the business network.
• Install patches or upgrades when the manufacturer provides them.
• Use a virtual private network (VPN) if remote access to the IoT devices is required.
• Include IoT devices in IT policies.

If your business is using any IoT devices, we can determine whether they are posing a risk to your business and help you develop a comprehensive strategy to protect them from cybercriminals.

by powerone

5 Things to Try in Windows 10 after the October 2018 Update Is Installed

The Windows 10 October 2018 Update includes many new features and enhancements. Here are five notable ones that you might find useful.

Microsoft officially released another major update for Windows 10 on October 2, 2018. Like previous updates, the Windows 10 October 2018 Update includes many new features and enhancements. Here are five notable ones you might want to try once the update is installed on your computer:

1. Souped-Up Clipboard

The October 2018 Update soups up the Windows Clipboard with new history and syncing features. Thanks to the history feature, you can now copy and store multiple items (text and images) on the Clipboard. When you want to paste one of those items, you simply press Win+V to open up the Clipboard’s history window and select the item you want to paste. (If you are unfamiliar with keyboard shortcuts, Win+V indicates that you press the Windows key and the letter v on your keyboard at the same time.)

With the syncing feature, you can copy text and images on one Windows 10 computer and paste them on another one. This can come in handy if you regularly use multiple devices, such as a Windows 10 desktop computer and a Windows 10 laptop computer.

Before you can take advantage of the history and syncing features, though, you need to enable them in in Windows 10’s Settings app. You can find them by clicking “System” in the Settings app and selecting the “Clipboard” option.

2. “Make text bigger” Slider

Before the October 2018 Update, you could make text bigger in Windows 10 by changing the overall scaling. This made everything bigger, including text and images. With the new “Make text bigger” slider introduced in the October 2018 Update, you can make just the text larger. The overall scaling remains the same. (You can still change the overall scaling, though, if desired.)

You can find the “Make text bigger” slider in the Settings app. After you open the app, select “Ease of Access” and click the “Display” option.

3. Snip & Sketch App

The new Snip & Sketch app lets you capture and mark up screenshots. It combines the functionality found in Windows 10’s Snipping Tool and the Screen Sketch app (which was originally part of Windows Ink Workspace).

Snip & Sketch lets you take rectangular, freeform, and full-screen shots of items on your screen. Once created, you can use a stylus (on touch-enabled devices) or a mouse to annotate the screenshot. There are various markup tools, such as a pencil and a marker, which you can customize by changing their color and thickness.

Although Snip & Sketch was designed to replace the Snipping Tool, the Snipping Tool will still be present after the October 2018 Update is installed, according to Microsoft. In the future, though, the Snipping Tool will likely disappear from Windows 10.

4. Your Phone App

After the October 2018 Update is installed, you will have an app named Your Phone on your Windows 10 computer. The app lets you link and sync a Google Android smartphone with your Windows 10 computer. When you do so, you can view and send Android text messages from your computer. You can also access your phone’s photos, which means you do not have to email photos to yourself to get them on your computer.

If this seems familiar, you are not having a case of de ja vu. Your Phone has been available in Microsoft’s App Store since August 2018. Plus, since the Fall Creators Update (which was released in October 2017), you have been able to link an Android phone or Apple iPhone to a Windows 10 computer in order to send web pages from your phone to your computer. This enables you to see the web pages on a larger screen without having to email yourself a link or manually search for the sites. You can continue to do this through the Your Phone app introduced in the October 2018 Update.

You can install the Your Phone app on an iPhone. However, sending web pages is pretty much all you can do at the present time. You cannot access photos or send text messages from your computer like you can with an Android phone. This might change in the future, though.

5. Power Usage Tracking in Task Manager

You can now see how much power each app and process is consuming on your Windows 10 computer, thanks to the October 2018 Update. Two columns have been added to the “Processes” tab in Task Manager:

• “Power Usage”, which conveys how much power each app and process is currently using
• “Power Usage Trend”, which indicates how much power each app and process has used in the past two minutes

Task Manager does not give you an exact measurement but rather an indicator such as “Very Low” and “Low”. This information can be helpful when you want to get an idea of how much power your apps are consuming. Plus, the new power usage columns might flag when a cryptojacking script is siphoning a computer’s processing power. In this type of attack, cybercriminals steal computers’ processing power to mine cryptocurrencies.

by powerone

IT Budgeting Trends in 2019

Research by Gartner, Harvey Nash/KPMG, Spiceworks, and Tech Pro Research provide several interesting insights into IT priorities and budgets in 2019. Find out whether companies are planning to increase or decrease their IT budgets and how they intend to spend their IT dollars.

Creating an IT budget would be easy for companies if they could travel into the future to see what was in store for their businesses and the economy in 2019. But since no one has invented a time machine that can whisk people into the future and back again, the next best thing is finding out what experts are predicting and what other companies are planning to do. Research by Gartner, Harvey Nash/KPMG, Spiceworks, and Tech Pro Research provide several interesting insights into companies’ IT budgets and priorities in 2019.

IT Spending on the Rise

Gartner is predicting that overall IT spending will increase by 3.2% in 2019 — a forecast that is reflected in other research findings. When Tech Pro Research surveyed more than 100 IT professionals, over half said that their organizations will be dedicating more funds to IT in 2019 compared to 2018. Similarly, about half of the 4,000 IT leaders participating in a study conducted by Harvey Nash/KPMG said they are expecting a budget increase in 2019.

A survey by Spiceworks, though, had different findings. About half of the 700+ respondents said that the IT spending at their companies will stay at the same level as the previous year. Only a third indicated that their IT budgets will increase in 2019.

How Companies Are Planning to Spend Their IT Dollars

Knowing the areas in which companies are planning to spend their IT dollars can be helpful when creating a budget. Both the Tech Pro Research and Spiceworks surveys asked respondents about their IT budgeting priorities in 2019.

Security is the top priority for the companies that participated in the Tech Pro Research study, as Table 1 shows. This is not surprising given that businesses are often the target of cyberattacks. IT training for employees is also high on the list. Companies are making this a priority because employees need to be retrained as IT technologies and work processes change. Plus, new employees will also need training.

Upgrading outdated IT infrastructure is the No. 1 priority for the businesses represented in the Spiceworks survey. When looking at the various components in IT infrastructures, such as hardware and software, the study revealed that businesses will spend the most on hardware purchases. The biggest chunk of their hardware budgets will go toward buying desktop and laptop computers.

Table 1. Top Priorities in 2019 IT Budgets

by powerone

Are Your Employees a Security Liability or a Security Asset?

While many companies realize they should provide IT security training, they often do not know where to begin. If your business is one of them, here are some suggestions to get you started.

The actions of careless and uninformed employees are a leading cause of serious IT security breaches, second only to malware attacks, according to a study by Kaspersky Lab and B2B International. Even when a security incident is caused by malware, employees’ actions are often a contributing factor.

These study findings point to the need for IT security training. This training can mean the difference between employees being a security liability or a security asset. While many businesses know they should be training their employees, they often do not know how often to provide the training, what to cover, and how to make it effective.

How Often

When it comes to IT security training, taking a “one and done” approach is not advisable. Instead, companies need to provide ongoing training because cybercriminals are constantly changing their tactics and devising new cyberthreats. The organization that oversees the United States’ Health Insurance Portability and Accountability Act (HIPAA) recommends monthly security updates in addition to bi-annual training. Yet, only a quarter of employees receive cybersecurity training at least once a month, according to a Finn Partners survey.

Although there are expenses associated with providing ongoing training, the costs incurred from a serious IT security incident would be much higher. In 2017 alone, phishing and business email compromise (BEC) scams set US companies back $705 million.

What to Include

Your training program should be tailored to meet your company’s needs. It should cover the specific types of IT security risks that your employees might face on the job. The program also needs to address the security requirements employees are expected to meet. This is particularly important if your business must comply with any industry or government regulations such as HIPAA or the European Union’s General Data Protection Regulation (GDPR).

Topics commonly covered in IT security training include:

• The need for strong, unique passwords and how to create them
• The different types of malware (e.g., ransomware, spyware) and how they are spread
• Email security, including how to spot phishing emails and BEC scams
• What employees should do if they receive a suspicious email or encounter another type of IT security problem
• How to safely use the Internet
• Social engineering threats
• How to use mobile devices securely
• Physical IT security measures being used
• Your company’s IT security policies

All employees — including managers and executives — should receive basic security training. Some employees might need additional instruction that is specific to their particular jobs.

How to Make the Training More Effective

The IT security training will be pointless if your employees do not remember any of it. Fortunately, there are several ways to help make your IT security training more memorable and effective. For starters, you should hold short training sessions rather than marathon meetings. Bombarding employees with information for many hours will result in information overload, which means they will likely forget most of it. Providing ongoing training in small chunks is a more effective way to get employees to retain information. Plus, it will be easier for them to fit shorter training sessions into their work schedules.

Including hands-on activities in the training sessions will also help employees remember the information presented. For example, in addition to discussing on how to spot phishing scams, you could place the employees into small groups, give them copies of emails, and have them pick out the ones they think are phishing scams.

Another way to increase the effectiveness of your training is to make the information relevant to employees on a personal level. For example, a good way to get employees interested how to use company-owned mobile devices securely is to start by discussing how they can protect their personal smartphones (e.g., only use hotspots known to be safe and reliable). Once they learn good security habits in their personal lives, they will be more likely to practice them at work.

Finally, after employees have completed their training on a particular topic, you might consider testing what they have learned. For instance, after covering how to spot phishing emails, you could send out a fake phishing email with a suspicious link. If clicked, the link could lead to a safe web page that states the phishing email was an IT security training exercise. This type of testing can reinforce what employees have learned. It can also help determine the effectiveness of the training.

It is important to follow up with employees after the test, especially with the individuals who clicked the suspicious link. However, you should never embarrass or scold these employees during this discussion. Instead, you should offer them additional training and resources.

Your Employees Are an Important Part of Your Line of Defense

Educating employees about IT security is important. With training, they can bolster your line of defense against cyberattacks rather than be a weak link in it. To make this happen, you need to develop an effective IT training program that will teach your employees what they need to know to help keep your business secure. If you are uncertain of what to include, contact us. We can suggest topics based on your business’s IT environment.

by powerone

1 Out of Every 101 Emails Is Sent by a Hacker

Does your business receive hundreds of emails each day? If so, there is a good chance some of them have been sent by hackers. Find out how to protect your business from malicious emails.

Most businesses receive hundreds of emails each day — and there is a good chance some of them have been sent by hackers. After analyzing more than 500 million emails sent in the first half of 2018, FireEye researchers found that 1 out of every 101 emails sent is malicious. Spam is not included in this count. It includes only those emails sent by cybercriminals with the express purpose of pilfering money, stealing data, or compromising systems.

The vast majority (90%) of the malicious emails do not contain any malware, but they are far from being benign. They can be just as dangerous as those containing malware.

Hackers Are Using Both Old and New Tricks in Malware-Less Emails

Not surprisingly, around 80% of the malware-less emails were phishing attacks. In this type of attack, cybercriminals try to trick recipients into performing an action, such as clicking a link that leads to a malicious website. Phishing emails are generic so that they can be sent to a large number of targets, which is why the researchers found so many of them.

The remaining 20% of the malware-less emails were impersonation scams. These highly personalized emails try to con recipients into transferring money or revealing sensitive information. Cybercriminals spend a lot of time researching their targets in order to create legitimate-looking emails. Because these emails appear to be normal traffic, it is harder for email security solutions to detect them.

One of the cybercriminals’ favorite type of impersonation email is the business email compromise (BEC) scam. In this type of attack, cybercriminals masquerade as executives, supplier representatives, and other business professionals to con companies out of money. In 2017, hackers stole more than $675 million from US businesses using BEC scams.

While the researchers found that hackers were still using old favorites like the BEC scam, they also discovered a new type of impersonation scam: impersonation emails that led to phishing sites, where login credentials were harvested or malware was uploaded to victims’ computers. By including phishing links, hackers can send out vaguer emails to a larger number of targets. Because these emails still include some personalization, the recipients are more likely to think the emails are from trusted sources and click the link compared to generic phishing attacks. As a result, the email open rate for this new type of impersonation email is similar to that for highly personalized impersonation emails, according to the researchers.

Common Ways in Which Hackers Try to Deceive Recipients

In both the new and old types of impersonation emails, the cybercriminals typically manipulate the entry in the “From” field to trick recipients into believing the messages are from legitimate senders. The techniques include:

• Spoofing the display name of an email address (e.g., Jane Doe)
• Spoofing the username (the portion before the @ sign) of an email address (e.g., JaneDoe@)
• Creating and using a domain (the portion after the @ sign) that is similar to a legitimate one (e.g., @paypa1.com, @secure-paypal.com)

How to Protect Your Business from Malicious Emails

To protect your business from impersonation and phishing attacks as well as emails containing malware, you can use the stop, educate, and mitigate strategy:

Stop as many malicious emails as you can from reaching employees. To do so, you need to keep your company’s email filtering and anti-malware tools up-to-date. They can capture many phishing and malware-laden emails. You might even want to explore getting an email security solution that uses advanced technologies to catch malicious emails. In addition, make sure that employees’ email addresses and other potentially sensitive information (e.g., job titles) are not publicly available.

Educate employees so they can spot any malicious emails that reach their inboxes. While email filters often snag phishing attacks, they are not as good at stopping impersonation emails. Plus, most anti-malware software is only effective against known malware strains. Thus, it is important to educate employees about the types of malicious emails they might encounter and how to spot them (e.g., check for spoofed names in an email’s “From” field). As part of this training, be sure to inform them about the risks associated with clicking email links and opening email attachments. Plus, let them know how hackers find the information they need to personalize impersonation emails (e.g., social engineering).

Mitigate the effects of successful email attacks. Cybercriminals keep coming up with new ways to pilfer money, steal data, and compromise systems using email, so your company might fall victim to an attack despite everyone’s best efforts to prevent it. Taking a few preemptive measures might help mitigate the effects of a successful email attack. For example, since obtaining login credentials is the goal of many phishing emails, you should make sure each business account has a unique, strong password. That way, if a phishing scam provides hackers with the password for one account, they won’t be able to access any other accounts with it. Equally important, you need to perform backups regularly and make sure they can be restored. This will enable you to get your data back if an employee inadvertently initiates a ransomware attack by clicking a link in an impersonation email.

The Individual Steps

The individual steps for implementing the stop, educate, and mitigate strategy will vary depending on your business’s needs. We can help you develop and implement a comprehensive plan to defend against malicious emails.

by powerone

Petya Ransomware Affecting Critical Systems Globally: Here’s What to Do

A major global cyber attack is under way. This new rapidly spreading cyber extortion campaign is capitalizing on the assumption that businesses have failed to secure their networks from increasingly aggressive hackers. For more information we have included a link below to a blog which gives some detailed information on this new threat.

https://www.wordfence.com/blog/2017/06/petya-ransomware/?utm_source=list&utm_medium=email&utm_campaign=062717-2

Copy and paste the link in your browser's address bar.

Because even the best efforts to prevent infection are occasionally thwarted, it is imperative that one have backups of data. Best business practice is to have a local backup as well as a cloud backup. If a local area network gets infected the chances are the local backup will also be affected. Having a cloud backup can save the day!

Another best business practice is to have a secondary domain controller in the cloud. Having this will save many hours and even days of downtime if your server needs to be restored.

Both the cloud backup and the backup domain controller are inexpensive precautions. PowerOne can help answer any questions on either or both options and even get you set up today.

by powerone

The Pros and Cons of Moving Your Email Services to the Cloud

Email is an essential communication tool for most businesses. While email services have traditionally been provided on-premises, an increasing number of companies are moving their email services to the cloud. Almost 60 percent of businesses worldwide now use either Microsoft Office 365 or Google G Suite, according to the Bitglass 2016 Cloud Adoption Report. Office 365 is deployed in 34.8 percent of organizations, while G Suite is used by 24.5 percent.

A key motivator for making the move, especially for small and midsize businesses, is reducing costs. However, if you are considering moving your business's email services to Office 365, G Suite, or another service provider, you should weigh all the pros and cons.

The Advantages

Between 2015 and 2016, Office 365 and G Suite usage rose 11 percent, according to the Bitglass 2016 Cloud Adoption Report. This increase is largely due to the advantages that online email services offer, including:

• A secure email environment: Storing data in the cloud is a relatively secure practice, according to experts. Plus, cloud computing has matured to the point where there are now standards (e.g., ISO/IEC 27018) that service providers can follow to prove they are properly handling data in a secure manner.
• Reduced capital expenditures and human resource costs: When companies use online email services, they do not need to purchase servers or software licenses. Plus, they do not have to pay staff to manage and maintain the email environment.
• High reliability and availability: Most cloud-based email service providers have redundant systems to ensure their email services are highly reliable and available. For instance, both Office 365 and G Suite guarantee 99.9 percent uptime.
• Built-in backups and archiving: Businesses that use online email services do not have to worry about backing up and archiving emails. The service providers automatically take care of these tasks. Plus, the backup files are stored off-site, which is an important aspect of any disaster recovery plan.
• Effortless scalability: With cloud-based email services, companies only have to pay for the email services they currently need. If their business grows, they simply need to contact their service provider to scale up their email services.

The Disadvantages

While using cloud-based email services has many advantages, it is not without some drawbacks, such as:

• Data not managed and maintained by employees: When businesses host their own email services, they get to select the employees responsible for managing and maintaining the email environment. With online email services, the provider takes on these responsibilities and businesses have no control over who is working with their data.
• No Internet, no email service: With cloud-based email services, no Internet service means employees cannot send or receive emails internally or externally. In contrast, with an on-premises email server, users can still send and receive emails internally (i.e., within the company's local area network) when the Internet goes down. External emails still cannot be sent or received, though.
• Some loss of control: When businesses use online email services, they lose control over some aspects of their email environment. For instance, they have no control over where their data is being stored and when software upgrades are applied.
• Fees add up: Over time, the subscription fees for online email services add up. On top of the basic fee, service providers often charge additional fees to perform administrative tasks, such as adding or removing mailboxes.

You Should Weigh the Pros and Cons

Whether moving your email services to the cloud makes sense for your business will depend on many factors, including the number of employees, types of emails sent and received (e.g., whether they often contain sensitive data), and your IT environment. PowerOne can help you weigh the pros and cons based on your business's needs.

by powerone

5 IT Security Mistakes That Businesses Often Make

Computing technologies are constantly changing and extremely complex. Securing IT systems in this environment is challenging, especially for small and midsize businesses. They often do not have the time or resources to keep up with technological changes, the latest security threats, and the best ways to mitigate those threats. As a result, they often slip up when it comes to IT security.

Here are five IT security mistakes that small and midsize businesses often make and how to avoid them:

1. Not Using Anti-Malware Software

With 600 million malicious programs in existence, not having anti-malware software installed on all the computers in a business is extremely risky. Anti-malware software is designed to stop malicious code from running on computers, providing an important line of defense against cyberattacks. While it won't stop zero-day malware attacks (i.e., attacks involving brand new malicious programs), it will stop previously identified malware. Hackers like to use existing malware because it saves them time. Plus, they already know it's effective on unprotected machines.

All anti-malware applications are not created equal, though. You should use one that detects different types of malware, including ransomware, spyware, and viruses. You also need to make sure that the anti-malware software is being updated regularly. Computers with missing anti-malware software updates are vulnerable to cyberattacks.

2. Having Bad Password Habits

Employees often have bad password habits, such as using weak passwords like "12345678", "qwertyuiop", and "starwars". Cybercriminals can easily hack weak passwords using brute-force password-cracking tools. Employees also commonly use the same password (or variations of it) for several accounts. Hackers know that people reuse passwords, so once they obtain a password for one account, they will try it for other accounts.

In addition to using weak passwords for employee and service accounts, businesses often use the default passwords that network devices (e.g., routers, appliances) ship with. This is a dangerous practice, as hackers are familiar with these default passwords.

Educating everyone on how to create unique, strong passwords is one way to combat the password problem. However, due to the sheer number of passwords people need to remember, they might resort to their old habits or even start writing down passwords. For this reason, you might consider using a password manager designed for businesses. Another measure you can take is using two-step verification for accounts when possible.

3. Leaving Software and Firmware Unpatched

Security vulnerabilities are often discovered in software and firmware. In response, vendors typically release updates that fix the flaws. If the patches are not installed, cybercriminals can exploit the vulnerabilities to gain access to the software and firmware. Using that access, hackers can install malware or perform other malicious acts.

To avoid this situation, it is important to install all the security patches that have been released for the software and firmware used by your business. This might seem like a tall order, but the consequences of not doing so are too serious to ignore.

Besides installing patches, you need to make sure that all your applications are still supported by their vendors. Like any product, software programs have lifecycles. When an application reaches the end of its lifecycle, the vendor will no longer issue any type of updates for it, including patches that fix newly discovered security vulnerabilities. Many cybercriminals keep track of when vendors stop supporting popular applications. Once the support has ended, they launch new cyberattacks that target those applications.

4. Neglecting to Secure Mobile Devices

Using mobile devices for work has advantages, regardless of whether those devices are company-provided or personal. Employees can access business emails, data, and applications at any time from almost anywhere. The flexibility and convenience often improve employee productivity.

However, mobile devices that are not properly secured can put businesses at risk. In 2016, the number of malware attacks against mobile devices rose sharply, and security researchersexpect the number to continue to rise in 2017. Even worse, these devices are increasingly being used as entry points into businesses' networks. Security experts predict that one in five employees will cause network breaches in 2017. Unknowingly, these employees will either upload malware from their mobile devices to their companies' networks or expose network credentials when they log in from malicious Wi-Fi hotspots.

To prevent these types of problems, you need to make sure that your business has a comprehensive plan to secure your mobile devices. What it should cover depends on whether your employees use company-provided mobile devices, their own personal devices, or both.

5. Ignoring the Human Element in IT Security

Hackers take advantage of the fact that many companies ignore the human element in IT security. By tricking employees into divulging sensitive data, clicking dangerous links, and opening malicious attachments, cybercriminals can get past security systems and perform malicious acts. Untrained employees and phishing attacks are the top two causes of data leaks in companies, according to a 2016 report on IT security risks.

Your employees, however, do not have to be a weak spot. They can provide a formidable line of defense against cybercrime if you educate them about common security threats and teach them some basic skills, such as how to spot spear phishing emails.

Unfortunately, no amount of training will help combat insider attacks, which account for 7 percent of data leaks in companies. An effective way to address insider threats is to follow the principle of least privilege — that is, limiting employees' access to the minimal level that will allow them to perform their job duties. Using access control tools is also effective.

The Next Step

Knowing about the common security mistakes made by small and midsize businesses is the first step in avoiding them. The next step is to start taking measures to prevent them. You might have some of them in place already, such as having anti-malware software installed. We can help you with the rest so that your IT systems stay secure.

by powerone