Cyber Security Challenge Level 4: Always enable multi-factor authentication

Welcome to the level up your cyber security in October program courtesy of integrity first Corporation. 

We’re on level four, the final week, which is enabling multi-factor authentication, or you might know it as two factor authentication. 

Now in computer security an authentication factor is anything you use to authenticate yourself with a system. Using a password is the most common type of authentication. With multi factor authentication, MFA, or two factor authentication 2FA, you use two or more different factors to log in. 

One example is a password and a verification code sent to your smartphone. This is something that’s really common whenever you sign into banks. This is an extra layer of security. So even if one of your factors is stolen, like your password, the hacker doesn’t have access to the other authentication factor like your phone. 

This stops them from accessing your account. As more and more organizations implement multi-factor authentication to strengthen their security practices, you might encounter different types of authentication factors. 

There are three different types you might be asked to provide. So something you know, which are passwords and security questions. Something you have, such as a verification code on your phone or a key card or something you are such as biometrics, like your fingerprint or a scan of your face. The more factors you use, the better your security. 

Having a combination of authentication factors is an even better way to keep your data protected. 

If you have any questions about any of these levels, please contact integrity first Corporation for help.

Cyber Security Challenge Level 2: Passwords – Long, Unique and Complex

Welcome to integrity first Corporation, cybersecurity in October program. In week two, we are going to discuss using strong passwords and perhaps a password manager. 

To create a strong password, there are a few tips and tricks to remember. The reason that you want a strong password is it’ll help you keep your data secure. In fact, according to IDtheftcenter.org studies have found that a passwords guessability by hacking software decreases exponentially with every additional character. 

Creating something that’s easy to remember, but hard to guess is key to a successful password. 

Perhaps you’ll want to incorporate a favorite song, a favorite quote, your favorite sports player into a password and it becomes more complex and difficult to guess. You’ll want to make sure that it’s at least 12 characters long, has uppercase and lowercase letters in it, has at least two numbers, and it has at least one symbol in it. 

One thing that I commonly suggest is use the lyrics to one of your favorite songs like flymetothemoon!12 or something along those lines. You want to make sure that it’s something that might be a little bit more difficult for someone to perhaps put in, guess, or even have machine learning guess. 

The other thing is, you’ll want to have a unique password for each account. 

The average American has over 90 passwords. So one thing that you’ll want to do or look into is a password manager app that can help you remember your passwords. A password manager is basically a secure vault for all of your passwords. Basically like a glorified post-it note that sticks on your computer, but a lot more secure. 

You only have to remember the one password to get into your Password Manager app, which will allow you and your computer to access the rest of your passwords for all of your logins. 

Typically, depending upon the application that you purchase, you can access these passwords on your phone, tablet, laptop or desktop. This also means you can and should create different passwords for every single online account that you have. This should keep you ahead of any hackers.

Let INF know if you have any questions and join us next week for Level Three.

Cyber Security Challenge Level 1: How To Spot A Phishing Email

Welcome to integrity first corporations cyber security in October program. Week one, we’re going to talk about recognizing and reporting phishing. 

A few quick facts: cybercriminals sent over 3.3 billion phishing emails last year. This caused over 4000 data breaches then exposed over 22 billion personal records. 

But it’s not enough to know that phishing emails are out there. You also need to be able to recognize them and report them. 

So today, we’re just going to quickly review a few of the highly used phishing email types and tactics. 

The first type is a reward or a free gift message. Free things are really enticing, but they can also be dangerous. If you get an email saying you won a free TV or click here to enter a prize drawing, you need to be on high alert. Hackers are definitely trying to bait you into clicking a malicious link. 

The second type is a login or password message. Another type of phishing email will ask you to verify your account by logging into a fake web page or updating your credentials on this fake web page. These emails will collect your username and password which gives a hacker instant access to your account. 

A third phishing email type is an urgent message. An urgent message email is designed to get you to act fast. It might tell you that your account was hacked or it’ll be deactivated; click here to restore it. Fear makes people do things without thinking, so slow down and make sure that this urgent message is from who you think it’s from. 

The final type of common message is internal messages. This type of phishing is also called spoofing. Hackers will try to impersonate or spoof people at your company, like your HR rep, somebody in your IT department, or maybe even a co-worker. An internal phishing message email might ask you to click on a link to read and sign a policy, read a new document about company wide updates, or even handover sensitive information via purchase. 

If you think you’ve encountered a phishing email, you need to follow your company’s procedures for recording it. Once the right people are notified, they can help you to determine if it’s a phishing email. Whatever you do, do not click on the links, don’t reply to the email and don’t send it to anyone else.

We’ll see you next week for Level Two.

Have You Taken The Steps To Purchase A Stand Alone Cyber Policy?

cyber insurance

Over the last couple of years, I’ve been telling clients and prospective clients alike that now is the time to buy a stand alone cyber policy.  If you haven’t taken the steps to purchase a policy, there couldn’t be a better time than right now.  

Claims are increasing: Ransomware, malware, phishing schemes and fraudulent funds transfer just to name a few of the claims issues that seem to be an everyday occurrence.  Because of the increasing claims, obtaining a standalone cyber policy is getting a little more difficult.  

Carriers are beginning to get a little more selective on who and what industry they want to insure. Policy terms and conditions are beginning to get a little stricter and some carriers are even beginning to exit the marketplace and not offer coverage at all.  

Just a few months ago, one of the larger carriers that write cyber insurance did exit the market and no longer writes the coverage.  Worse yet, one of the ugly consequences of all this, is that the pricing on cyber coverage has started to increase and let’s not forget that ugly word inflation that also is playing a part!

If you haven’t purchased a cyber insurance policy yet, do it now or at least apply for coverage so you can review the offer and make an informed decision.  Keep delaying the process or decision and you may find yourself unable to secure coverage at all and the market has made the decision for you. 

Have any questions about the topic discussed in this article? Contact us today! 412-563-2106.

Hackers Have Now Exposed Over 8 Billion Username and Password Combinations – Were Your Credentials Among Them?

Hackers Have Now Exposed Over 8 Billion Username and Password Combinations

The week of June 7th may have seen the biggest release of hacked data ever published to the dark web.  Hackers publicly released over 8 billion username and password combinations!

A 100GB list of data assumed to be stolen during various hacks was posted to a popular hacker forum.  This is now being referred to as the “RockYou2020” list.

Want To Check To See If You Were A Part Of This?

Check here to see if your data was part of this dump: https://cybernews.com/personal-data-leak-check/

To use this tool, all you must do is enter your email or phone number.  The tool can safely access the hacked username and password combinations on the dark web.  It will let you know if your data is found.

What To Do If Your Data Was A Part Of The Released Data

If the tool tells you that your data was compromised, you should start mitigation steps immediately.  Go to every account that uses the exposed username/password and change the password.  Be sure to use different passwords for each account that are considered to be “strong”.

Want to know what makes a strong password?  A rule of thumb is to create a password that has the following 6 characteristics:

  1. More than 12 characters
  2. Contains at least 1 uppercase character
  3. Contains at least 1 lowercase character
  4. Contains at least 1 number
  5. Contains at least 1 symbol
  6. Contains no “real” words that could be guessed via a dictionary attack (where they go through a list of words from the dictionary and try to guess your password)

In addition, you’ll want to be sure to look for any unexpected activity within the account.  Make sure that all of your personal information is correct and that no money has been transferred unexpectedly.

If given the option, turn on the “Two-Factor Authentication” (or “2FA”) option associated with the account.  This will require you to enter a code from your cell phone or email to authenticate who you are.  2FA protects your accounts from hacker dumps like this.

Yes, this is a pain.  However, it’s better to have your personal and financial data protected. 

How To Protect Your Data Easily Using Password Managers

There are ways to make tasks associated with passwords easier.  According to a study by NordPass, the average person has 100+ online passwords.  Who can remember that many passwords?

INF recommends using a password manager like KeePass or 1Password.  A password manager will help you create and remember well-formed passwords for all of your accounts.  In fact, you can copy and paste from these managers, so you don’t have to type anything going forward.

These password managers can also be installed on your phone.  This makes browsing the web a breeze when you need to access your passwords.

Is There Anything That You Can Do To Protect Your Business Further?

Yes, you can protect your business with a cyber liability policy.  These policies help protect you from the threat of hackers, data dumps, stolen passwords, ransomware attacks and more. 

It takes less than 5 minutes to fill out the application for this insurance.  Contact INF to get started at 412.563.2106.

Does my Legal Malpractice Insurance Cover my Cyber Exposures?

Does my professional liability insurance policy Cover me for cyber risk?

The short answer is, sometimes. This is a great question. There are some policies out on the marketplace that do advertise that they cover both professional liability insurance and cyber. But if you’re really serious about covering yourself in the event of a cyber breach, you need to look into what is called a standalone policy, not any kind of combo cyber professional liability policy.

If you do look into that type of coverage, you’ll notice a few things. One, the cyber coverage is usually ancillary to the primary coverage of professional liability insurance and the limits that are available for the cyber are usually very, very small, somewhere between $15,000 and $25,000. Last year the average cost of a cyber breach for a small to mid sized firm was about $250,000. The other important note is that 50% of those that did have the breach, were out of business within six months of the breach.

Contact us at INtegrity First Corporation with any questions you may have regarding cyber liability insurance.

What is Privacy Regulatory Claims Coverage and Why is it Important?

What is privacy regulatory claims coverage in a cyber liability policy?

Wow. That’s a mouthful.

The regulatory coverage in a cyber liability policy actually pays for and protects you against the fines and sanctions that may be levied against you from state, local and federal governments for not properly ensuring the data that you’re responsible for.

Don’t get caught, make sure this coverage is in your cyber liability policy.

‘Tis the Season for Cyber Security

02J68283

As the holiday season draws near, so do cyber criminals.  With more and more people shopping online, the number of potential cyber breach victims increases every day.  In fact, Adobe is predicting that Black Friday 2017 will see the highest sales ever on record.

So, without completely withdrawing from the online world, how can you protect yourself and your business online?  Try applying the following tips:

Make sure that you are on the website that you think that you are on

One of the most common ways to scam your username and password or credit card information from you is to send you to a fake website that looks very similar to the website that you are expecting.  An example of this is paypal.com versus paypa1.com.  Note that the only difference is the “L” at the end of the first one and there is a “1” at the end of the second one.

To get you to these fake sites, scammers will send you an email that directs you with a bogus link.  One way to see where the link is taking you is to hover over it with your mouse.  The website address will popup.  If the link is bad, block the email sender and move the email to your “SPAM” folder to prevent receiving emails from that person in the future.

One way to confirm that you are visiting the website that you want is for you to type the website into the address bar.  This way, you know that you are not following any false links and you arrive at the correct website.

Don’t fall for holiday phishing schemes

On Black Friday 2017, retailers sent over 3 BILLION emails to consumers, advertising their best deals and sales.  This day was also filled with scammers sending out tons of emails, pretending to be a retailer.  They were taking advantage of the fact that consumers were expecting to receive these emails and may not have questioned them as much.  This is known as phishing and its main purpose is to collect as much personal information about you as possible.

Commonly, phishing emails will try to direct you to a login page or a payment page.  They want to get your information as quickly as possible without you questioning the validity of the site.

A few ways to identify phishing schemes:

  • The “From” field display name is a store or bank.  However, when you click into it to reveal the full email address, it’s an address not related to that entity.
  • The email has graphics that look “off” or “fuzzy”.  Sometimes, to make the fake email look more legitimate, a scammer will copy the graphics from a store or bank from their website, which are not a high resolution.  As a result, when they are placed into an email, they look wrong.
  • When you hover over the link that the email wants you to visit, it is not pointing to the website that it claims to be sending you to.
  • Check for spelling mistakes and bad grammar.  Legitimate companies are sticklers when it comes to spelling and grammar.  If the email sounds poorly written, there is a good chance that the email is not legitimate

Check for an SSL certificate upon checkout

When you check out online, you want to make sure that there is an SSL certificate in the address bar.  You should see that the web address starts with “https://”.  Normally, there will be a lock image next to the address or the whole bar will turn green.

An SSL is important any time that you are entering financial information or passwords.  This encrypts that information and keeps it private from anyone that may be watching your transaction.

Create a strong password (and don’t use the same one) for your customer (and business) accounts

Your customer accounts for stores and banks should be protected by a strong password.  The company can have the best security measures and encryption in place, but if your account has an easily guessed password, none of that matters.

A strong password is 12 characters or more and contains at least one of each of the following:

  • Uppercase letter
  • Lowercase letter
  • Number
  • Symbol

You also do not want to use the same password for all of your accounts.  This is because if one of the accounts is hacked, the hacker now has the login information for all of your other accounts and they WILL check this immediately.

The average American has over 60 online accounts that they have to remember, so look into a good password manager to help you maintain the information.  Not only will the password manager help you remember all of your login information, but it will help you create secure passwords.

Some highly rated password managers include KeePass, Dashlane and LastPass.  Check out this article from PC mag for more information on the top password managers of 2017: https://www.pcmag.com/article2/0,2817,2407168,00.asp

BONUS: Turn on two factor authentication where possible

Two factor authentication (TFA) is becoming more prevalent as hackers become more savvy and have access to greater computing power.  TFA uses not only your username/password, but one other means of verification before you have access to your account.

This is now commonly available with banking and credit card websites.  When you turn this on, after you sign in with your username and password, they will ask if you want to receive a text or email for secondary verification of the account.  Once you make your selection, they will send a one-time only code to the phone number or email associated with that account, which you then have to enter to gain access.

This is helpful because even if someone had your password, they would still need access to your email or phone to be able to access your account.  If TFA is available to you, INF recommends turning it on to better protect yourself.

Have a safe and secure holiday season from INF!

Why Does My Company Need Cyber Liability Insurance?

Gadgets-In-Business-Vacation-Shopping-Banners-[Converted]Today’s businesses are more reliant than ever on technology.  Whether it’s an app, a device, or a piece of software, a business can save time and money.  However, this technology may expose them to multiple cyber risks that need to be addressed.  An unhappy ex-employee, a lost cell phone, an insecure password, an out-of-date computer system – these may all be a possible source of a data breach.

What is a data breach?
According to the Ponemon Institute, a breach is defined as an event in which an individual’s name and a medical record and/or a financial record or debit card is potentially put at risk—either in electronic or paper format.

Verizon found in their 2015 Data Breach Investigations report that about 50% of all security incidents are caused by people within your organization!  The other 50% are caused by hackers, viruses, malware, etc.  The people in your organization may not have caused the breach maliciously, but through human error or some other negligence.

Amazing Data Breach Facts

According to Ofcom’s “Adults’ Media Use and Attitudes Report 2013”, 55% of adults use the same password for everything.  Therefore, when one data breach occurs, about 55% of the passwords and information recovered can possibly lead to another breach, which can lead to another, etc. It’s easy to see how you can have a secure system, but if it’s not protected by secure employees, a data breach could easily occur.

login with email and password

The average cost per lost or stolen record in a data breach is $141 dollars according to the 2017 Ponemon Institute Data Breach study.

How many records is your company responsible for?  

When there is a breach in Pennsylvania, you are responsible for notifying each owner of those records that their data has been compromised.  Not only have you lost or diminished the trust of your clients, but you will spend a large amount of money informing them of this fact.

Because your clients can reasonably expect that you will protect their data, failing to do so can also result in federal and/or state fines.  Make sure that you are taking all reasonable steps to protect your data.

How can you protect your company from a data breach?

The first step that you can take is to purchase a cyber liability insurance policy. This allows you to transfer the risk to the insurance company and know that you are covered in the event of a data breach.  For the cost of a nice laptop (under $1500), you can purchase a standalone cyber liability policy.

This policy will help with a number of things when it comes to a data breach.  Most policies will cover the cost of notification, finding the breach source, fixing the source, restoring your clients’ trust, fines and more.  Before you purchase a policy, review the coverage available and ensure that you are fully covered.

The second step that you can take is to train your employees well and make sure that you have office procedures in place to ensure your security.

Keeping Your Information Safe In the Digital Age – Part 3

With the onslaught of data breaches that happened in 2015 (about 65,000 according to the Verizon Data Breach Investigations Report), INF presents this multi-part blog series about keeping your data safe in the digital age.

Accessing Your Password Database on Different Devices

The last blog post of this series covered setting up a password database in KeePass and accessing it on your personal computer.  This blog post will cover accessing your passwords on multiple devices.

Storing your Password Database in an Accessible Place

If you only want access to your passwords on your laptop or desktop, storing the database file (*.kdbx file) locally is fine.  However, if you want to be able to retrieve your passwords from your phone, tablet, etc., the file needs to be stored in a cloud.  If you already have a cloud account, you can store it there.  If you do not have a cloud account and you won’t be using it for large files, Dropbox is great free option to consider (https://www.dropbox.com/).  It takes about 3 minutes to sign up and you get 2GB of space for free.  Your *.kdbx file won’t even use 1% of that amount.

Once you have your Cloud account set up, move your password database file to the cloud.  This benefits you in multiple ways.  First of all, you can access your passwords from all of your devices.  Secondly, your password database will now be backed up on a regular basis.  In fact, Dropbox keeps all deleted and updated versions of your files from the last thirty days.  So, if you accidently delete your file from anywhere, you can restore it from dropbox.com.

Retrieving Passwords on your iPhone or iPad

If you want to access passwords on your iPhone, you need to download the app for the cloud that you are using onto your device. In the case of Dropbox, you will download the Dropbox app from the app store and use your account information to sign in.  You will then need to download the app “MiniKeePass”.

To load your password database into MiniKeePass, open the Dropbox app (or your Cloud app) and click on your *.kdbx file.  The cloud app will not be able to show a preview of the file, which is expected.  Click on the icon of the square with an arrow pointing up, which should give you a menu with multiple options.  Click the “Open in…” option and select “Copy to MiniKeePass”.  This has now stored a copy of the password database in your MiniKeePass app.  This is important to note as it is just a copy.  If you make changes to the file on another device, you will have to go through the process of loading your password database again.

The actions above will open MiniKeePass and display the database file. To open it, click on the filename.  The app will ask for the database password.  Enter your password and your database will display.  You can browse by folder or you can use the “Search” box.  To use the passwords, click on an entry and click on the username or password.  This copies that text to the clipboard.  You can then paste it wherever you would like.

Retrieving Passwords on your Android 

If you want to access passwords on your Android, you need to download the app for the cloud that you are using. In the case of Dropbox, you will download the Dropbox app from the app store and use your account information to sign in.  You will then need to download the app KeePass2Android from the app store.  Launch the newly downloaded app and click the “Open File” button.  You can browse to your password database file in your cloud and open it with your password.  You will then be able to search for the password that you want and copy/paste it any location.

Retrieving Passwords on your Chromebook

If you are using a Chromebook, there is a strong possibility that the cloud that you are utilizing is Google Drive.  Place your *.kdbx file in your Google Drive cloud and install the KeePass Chrome app.  Open your new app and select “Open File”.  Browse to your KeePass Database and enter the password.  KeePass Chrome will open the file and you can use the passwords as needed.