Top 10 Security and Password Tips for Small Business

Note: The following catalog of content covered in this webinar is time stamped to allow you to follow along or skip to sections of the video that are relevant to your questions. You can also search for content on this page using the FIND command in your browser (CTRL + F in Windows, Command + F in Mac OS.)

• Intro
• 1. Use a Virtual Private Network (VPN)
• 2. Multi-Fator Auth
• 3. Password Managers
• 4. Simple Password Guidelines for Secure Passwords
• 5. Phishing
• 6. Regular Audits
• 7. Back Up
• 8. Wipe Old Drives
• 9. Install Updates
• 10. Firewall, Malware & Virus Scanners
• What to Do If You’ve Been Hacked

0:00 – 4:04: Intro

Why is security important? (3:45)

You could have your:

• Bank account cleaned out.
• Identity stolen.
• Website hacked.

4:05 – 7:46: 1. Use a Virtual Private Network (VPN)

It’s easy to “listen” to Internet traffic on public Wi-Fi. Every time you log in to a website on public Wi-Fi, your username and password can be stolen.

A VPN uses additional encryption to mask your Internet traffic.

At a coffee shop or hotel lobby? Always use a VPN.

Top-rated VPN providers (5:38):

• privateinternetaccess
• NordVPN
• TunnelBear
• CyberGhost
• Hide My Ass

Public Wi-Fi rules of thumb (6:44):

• Always use a VPN when using public Wi-Fi.
• Make sure no one is shoulder surfing (i.e., looking over your shoulder to see you enter your passwords).
• If you want extra security, don’t use the Wi-Fi! Use your cell phone connection instead.

7:47 – 10:28: 2. Multi-Factor Auth

(aka having a code texted to your phone)

Note: Multi-factor auth is only triggered when logging into a new device.

You might receive messages from companies giving you a login code – even if you didn’t log in to a new device. That is hackers or bots trying to log in to your account!

If you don’t have multi-factor auth enabled for your sensitive logins, such as your bank, Google, Facebook Microsoft, Amazon, etc., you are at risk.

It can also prove helpful if you forget your password, as it allows these companies to text you a one-time use code.

10:29 – 14:49: 3. Password Managers

Why use a password manager?

• You probably have hundreds of passwords, which are impossible to keep track of.
• Writing them down is dangerous.
• Most password managers have an auto-fill feature.
• Syncs between multiple devices.

A few of the most popular password managers (prices as of March 2019) (12:05):

• LastPass (Pro account: $36/year)
• dashlane (Premium account: $60/year)
• keeper (Business account: $30/year)
• 1Password (5-user business account: $240/year, 1-user personal account: $36/year)

A fun exercise (12:55):

Go to haveibeenpwned.com.

Enter your email to see how many times your accounts have been hacked. This should be a reality check.

Never reuse the same password!

14:50 – 27:59: 4. Simple Password Guidelines for Secure Passwords

5 password rules of thumb (15:00):

1. Never write your password on a sticky note fixed to your monitor.

2. Never reuse passwords for different logins.

3. Longer passwords = better security.

4. If you can use autofill for the login, use complex passwords – ideally, autogenerated, saved, and autofilled by your password manager.

5. If you have to type your password manually (Wi-Fi, password manager, etc.), use a passphrase instead of a password.

Unspoken rule: Don’t email or text your passwords to other people – ever!

Passphrases (17:55)

A “passphrase” is a long password made of multiple words, such as: thispasswordisInsecure

They can sometimes be hard to remember, or hard to type, so we need to find the right balance between:

• Security
• Ease of typing
• Memorable

Passphrase style #1: Lyrics/lines (18:50)

Passphrase style #2: Misspelled rhymey phrase (20:15)

Passphrase style #3: Diceware (20:58)

Password caveats (23:20)

Diceward caveats:

• Only works if you use actual dice or online generators.
  • Humans are bad at actual randomness.
  • Google “Diceware Generator”
• If you want serious security, use 6 words.

Lyric/line and rhymey caveats:

Most common lyrics or famous phrases are already in “password dictionaries” that hackers use to crack passwords. To combat this:

• Always use special characters and/or numbers within your passphrase – preferably something relatable and easy to remember.
• Misspell one of the words.

Why? (25:18)

You might be thinking, “If I enter my password 3 times in a row, I’m locked out! How can hackers guess my password with their supercomputers?

Brute force attack:

This is usually when a website has been hacked, their login database stolen. Passwords are encrypted, so the hackers have the data offline and can guess as many times as they like.

Yes, you should be concerned. (26:14)

Data breaches in 2018 alone + number of accounts compromised:

• Facebook: 29 million
• Google+: 52.5 million
• Cambridge Analytica: 87 million
• MyHeritage: 92 million
• Ticketfly: 27 million
• T-Mobile: about 2 million
• MyFitnessPal: 150 million
• Quora: 100 million
• Marriott Starwood Hotels: 500 million
• Aadhar: 1.1 billion

Passphrase resources (27:12):

Password crackability estimates:

• https://www.grc.com/haystack.jtm?id
• https://howsecureismypassword.net

Diceware generator:

• https://www.rempe.us/diceware/#eff

Password strength meters should only be used as a rough estimate.

Any of these password styles will be acceptable for good security. Choose what works best for you!

28:00 – 37:53: 5. Phishing

Phishing is when you receive an email that looks official, and often contains a login link.

Phishing has become extremely sophisticated, and is one of the primary techniques hackers can use to access your accounts.

How to avoid phishing scams (31:10)

• Always double-check the URL before logging in.
  • Chrome has a great little lock icon to reference.
• Make a habit of never clicking links in emails.
  • It might seem like a pain, but if you never click links, you decrease your chance of being phished.
• Use common sense when logging in to websites.
• For many services, use your phone app instead of browser if you receive one of these emails. Then you’ll know whether the email is legit.

Even internal company emails can be dangerous! (33:48)

A classic example is a domain that is one letter away from your domain, which, at first glance, looks real.

37:54 – 41:24: 6. Regular Audits

Password audits (37:54):

• Most password managers have audit features:
  • Scan for password duplicates, password age, etc.
• Use a tag system in your password manager every time you share a password.
• Change your sensitive passwords once a year.
  • But don’t use National Change Your Password Day, as that’s when Internet phishing and spoofing is at record activity!

Ex-employee procedure (39:55):

When a co-worker or employee leaves the job:

• Do you know which passwords he or she had access to?
• Do you have to reset all your passwords?
• If you had a nice clean tag system in place, you wouldn’t have to change all your passwords.

41:25 – 46:57: 7. Back Up

Why back up (42:40):

Most common data loss scenarios:

• Fire/flood
• Drive failure
• Theft
• Malware

We get a call per week on average from clients with severe data loss issues.

3-2-1 backup system (42:39)

3 copies of your data

• System/working copy
• External backup
• Off-site or cloud backup

2 different formats

• Internal drive
• External drive or cloud

1 off-site

• Keep an off-site backup in a safe or safety deposit box.

Test your backups quarterly! Over the years, clients have told us horror stories of losing tens of thousands of dollars’ worth of work because their backup systems didn’t function correctly.

Test your backup and restoration procedures (45:23)

Getting a new computer? Use the following as a good opportunity to test your restoration procedures.

• Where is your list of software license keys?
  • Password-protected USB drive
  • Password manager
• Where are your backups?
  • And how good are they?
• How long is your downtime?
  • Downtime=lost money
• Maybe you even pay your IT administrator to come in and do a full server restoration
  • Your backups and restoration procedures are worthless if they don’t work!

46:58 – 48:36: 8. Wipe Old Drives

Wipe or destroy old drives.

• Having data on old drives can be dangerous!
• Extra USB transfer drives lying around.
• Getting rid of an old computer.
• Upgrading your hard drive.

Nearly all cities have mobile paper shredding services that will dispose of your drives safely.

Or remove old “spinner” drives.

48:37 – 49:19: 9. Install Updates

Windows 10 updates are a total pain, but:

• A majority of software updates are bug fixes and security patches.
• If you don’t install the update that mentions security, you are at risk.
• Do yourself a favor and install the update.

49:20 –52:48: 10. Firewall, Malware & Virus Scanners

Firewalls (49:30):

• Software firewalls are confusing and tricky. Instead, use your router’s built-in firewall (a “poor man’s firewall”).
• Change the default router admin password to a secure passphrase.
• Some routers will allow you to turn off the Web-accessible admin panel.

Malware & virus scanners (50:30)

You can find many great options on the market, but over the years we have consistently recommended Malwarebytes.

• Both virus and malware scan
• Really easy to use
• Comprehensive and regularly updated threat database
• PC & Mac
• The free version scans and eliminates malware and viruses.
• The paid version prevents infection at $40/year.

Malware scanner (51:53)

Malware can be easy to pickup from “download sites.”

Stay away from sites such as:

• cnet.com
• tucows.com
• softonic.com

Wherever possible, only download software through the vendor’s own website or official app stores (Google Play, App Store, etc.)

52:49 – 54:53: What to Do If You’ve Been Hacked

1. Change passwords.

• Run a password audit, and ensure that other accounts don’t use the same or similar passwords.

2. Check financials.

• Change your bank passwords.
• Keep an eye on accounts. If you suspect your credit card was compromised, call your bank immediately.

3. Scan your computer for malware/viruses.

4. Notify.

• If a hacked account is high profile (email, social media, etc.), notify or post that you’ve been hacked.

5. De-authorize third-party apps.

• Facebook and Google allow many apps access to your account. Go through and de-authorize them:
  • https://www.facebook.com/settings?tab=applications
  • https://myaccount.google.com/permissions

In the Future (54:54)

We might not have to rely on passwords as much.

On March 5, 2019, the W3C approved WebAuthn as a standard across the Internet. Dropbox and Microsoft are already adopting this standard.

WebAuthn can use a USB key, proxy key, or biometrics to log you in to websites.

Question: How can I clean cookies from my computer? (57:30)

Answer: Every browser is different, but all browsers will have an option to clear browsing data. Unfortunately, you’ll be logged out of all sites you’re currently logged into.

Question: How does Incognito Mode work? (58:47)

Answer: In Incognito Mode, cookies won’t be saved on your computer. Many browsers have this option.

Question: What should have your absolute most secure password? (1:00:20)

Answer: Your email. If your email is ever compromised, hackers can access any of your other accounts.

Question: If I’ve been hacked, are the hackers watching me as I reset it? (1:02:15)

Answer: No. Once you change the password, they’re locked out.