Leeward Business Advisors
  • About You
  • Don't have an IT Department?
  • Need IT Department Help
  • Pricing
  • Technology Insights
  • About Us
    • Our Team
    • Community Engagement
  • Questions?

You Don't Think You Need It, Until You Do

10/27/2020

0 Comments

 
Picture
Every month I spend money on insurance for my car, house, and health care.  And every time I need it, I am so happy I do!  It is peace of mind.  How peaceful is your mind when you think about your business cybersecurity?

You most likely have some sort of business insurance, maybe general liability insurance.  That will not cover your losses from cyber-attacks, including targeted attacks as well as the occasional misplaced laptop containing confidential material.  And that might be what puts you out of business.
​

Cyber insurance (also called cyber-risk insurance or cyber-liability insurance) protects businesses and individuals from Internet-based security incidents.  It protects your privacy, data, and network exposures.

Why should I get Cyber Insurance?

​Hackers keep getting more innovative and the amount of private information shared online is increasing. The list of regulations, statutes, and compliance requirements regarding the use and protection of cybersecurity information continues to lengthen.  A breach may result in major fines and legal fees.


Does your business…
  • Accept credit cards / digital payments
  • Use computers / mobile devices
  • Keep medical or financial data
  • Store confidential customer information
  • Have employees
​If you answered yes to any of these, you are vulnerable to many kinds of attacks.  It doesn’t matter what size your business is, if you collect data and connect to the Internet, you are a target. If you share data with an independent contractor and they are breached, your organization can still be found liable.
​
It is extremely important to implement cybersecurity tools to lessen your risk, but nothing is 100%.  In fact, most cyber breaches are caused by human error. ​
According to a Ponemon report from 2017, cyber attacks cost small and medium-sized businesses an average of $2.235 million. On top of that, the study showed that 60 percent of the businesses that were polled said that attacks are becoming more severe and more sophisticated each year.

How do I know what kind of Cyber Insurance should I get?

​Like any insurance, you need to do your research.  Find out what your specific risks are, and which policies will protect you. By shopping around and evaluating your needs, you can avoid overpaying or getting coverage you don’t need.
Picture
Here are some of the different things covered:
  • Data destruction and restoration
  • Extortion
  • Theft / leaks
  • Denial of Service Attacks
  • Security audits
  • Public Relations after an attack
  • Investigation expenses / forensic costs
  • Lost income and interruption of business
  • Noncompliance / negligence
  • Legal defense / monetary settlement
  • Breach response resources
​Cybersecurity best practices are continually being updated as cyber attacks grow and change.  You will want to check in often to make sure your cyber insurance is adapting and providing the coverage you need. 
LEARN MORE
  • The Center for Insurance Policy and Research
  • Cybersecurity Insurance
  • US Department of Homeland Security Cybersecurity & Infrastructure Security Agency
  • Cyber Insurance 101: What Cyber Insurance Covers
  • Cyber insurance - is it necessary?
  • Top 10 Cyber Insurance Companies in the US
Picture
As always, your questions and comments are encouraged.  You can also tell me what else you would like to learn about using the "Ask Me" section at the top right of the blog page.

​Michael Polzin, CEO Leeward Business Advisors
0 Comments

Preventing and Recovering from Ransomware: Part 2 of 2

10/21/2020

0 Comments

 
Picture
In part 1 of this 2-part blog on ransomware, we talked about what it is and how you can be infected.  In this blog we will cover how to prevent attacks through layered security steps, and how to recover if you are attacked.
​Three very important layers to protecting yourself from malware:
  • Antivirus software
  • Data backups
  • Education & Action

What antivirus should I use?
Picture
​ANTIVIRUS SOFTWARE
The most important software you should have is antivirus (AV). This software utility is essential to monitor for malware and quarantine suspicious files.  It will also monitor all programs for suspicious behavior.
Not all AVs are created equal.  You need to do some research to make sure you are using a software that is going to do everything you need it to.  Some things to think about:
  • What features do you need? Do they offer them?
  • Is it up to date and patched regularly?  
  • Does it rate URLs you visit or that show up in search results? Does it block processes on your system from connecting with known malware-hosting URLs?
  • Does it handle spyware?
  • Does it whitelist or sandbox?
  • Does it offer free / paid support? Is it with a person or a chatbot?
  • Does it protect you from known and unknown threats?
  • Are spam filters available?
  • Does it offer File Shredding to prevent erased files being recovered from your hard drive?
  • Does it block instant messages with malware?
  • What kind of firewall, if any, does it offer?
  • Can you apply child filters?
  • Is there a browser toolbar you can use to prevent phishing?
  • Do you need to encrypt your data?
  • Can you set automatic, scheduled updates or patches?
  • Does it block pop ups?
You can see that there is a lot to consider when making sure you are getting the security features you need. There are 3rd-party testing groups that run independent tests and offer recommendations and ratings to help you compare features - such as AV-Comparatives, AV-Test and Virus Bulletin, among others. They regularly carry out detailed analyses to find out how IT security products perform when subjected to malware.

Just like the criminals who are looking to make money, many companies offering AV are also in it for the money.  So why shouldn’t you just use the antivirus that is built into Windows 10 or came with your PC as a free trial? 

There are many free trials out there and even free AV.  Is it worth it to pay for AV?  It depends on your needs, but most of the time the paid version offers more features and are more secure. 
​

The software that is preinstalled on PCs isn’t chosen because it is the best.  It is a marketing agreement between the computer manufactures / sellers and the AV company.  Free versions can also subject you to in-app advertising and bloatware.  Most paid subscriptions are around $40 annually. 
Bitdefender Antivirus Plus routinely receives perfect or near-perfect scores from independent antivirus testing Labs and offers great bonus features.

It is Leeward Business Advisors preferred antivirus, but we still recommend you choose what is best for you based on your specific needs. 

BTW… we do not get any kickbacks for recommending Bitdefender.
​
  • Bitdefender Antivirus Plus Review by PC Magazine

  • Bitdefender Antivirus Plus Website

How do I securely backup my important files and data?

​DATA BACKUPS
Many people don’t fully understand the difference between backup solutions (like Crashplan) and a platform or service that allows you to share and synchronize your files across multiple devices (like Dropbox, Google Drive, etc.). 

​Having secure backups is the most important element for recovery after an infection. 
Picture
You should make sure to have your files backed up in two formats.
  • Backup to external (unpluggable) USB drive or external drive.  Then lock it up and keep it safe until you need it.  Backup as often as necessary, once a day is the best.
  • Use a backup provider that captures your data and stores it at a secure location
Picture

​EDUCATION & ACTION

The number one risk contributing to malware infections is the human using the machine - how much they know about and do to protect themselves. 
​

Anyone who uses your system should be aware of risks and precautions to avoid being vulnerable.  This is particularly important if you have children. 
There are many, many places to get free training on what the best practices are to protect you and your family.  Some of these resources are listed at the end of this blog. There are also some great video lessons on YouTube.
OTHER LAYERS OF PROTECTION
  • Cancel old zombie accounts / emails (Hotmail, My Space, etc.)
  • Don’t click "next" without reading what you are agreeing to
  • Scan USBs and other external devices before using them
  • Check your privacy settings often (on your hardware and all accounts)
  • Don’t click on links or download anything without validating it is trustworthy
  • Never click “remember me” or save payment information on a site
Even if you have a great antivirus utility, there is still a chance ransomware might get through. 
If you get ransomware...
Picture
  1. ​DO NOT TURN OFF YOUR COMPUTER!  Immediately disconnect the hardware from the Internet and your system.  This will help prevent the infection from spreading.
  2. Contact your service provider and antivirus provider and report the attack
Also...
  • Do not pay the ransom.  These are criminals and you should not trust they will give you back your access. 
  • Install or update your antivirus software.  Run a full scan.
  • Check all your defenses.  Your passwords, privacy settings, or permissions could have been changed.
  • Don’t reset or restore files until you are sure the infection is gone, and your system is clean.
  • Figure out where the breach occurred and be proactive to ensure it won’t happen again
  • Un-authorize all associated apps (Twitter, Facebook, subscription services, etc.)  You will need to reset those passwords and re-authorize those accounts.
I know it seems like a lot to do, but the upfront research you do to insure you’re cybersecure is easier than dealing with a malware infestation.  It will save you time, money, and your important data.
We covered a lot, but there is more.  Check out these other resources.
LEARN MORE
  • How to choose the best antivirus for you
  • 7 Signs You Have Malware and How to Get Rid of It
  • How to Rid a New PC of Crapware
  • Antivirus Reviews and other great blogs
  • Is my data safe in online drives or should I back it up as well?
  • Using IP Cameras Safely
  • P2P File - Sharing Risks
  • How to Protect Your Data Before You Get Rid of Your Computer
  • Managing Your Privacy
Education for the whole family
  • OnGuardOnline - Tips to help you stay safe and secure online
  • National Cybersecurity Alliance - Tips for Parents
  • Get Schooled on Cybersecurity: Online Learning Security Tips for Students & Parents
  •  Family Emergency Scams
  • Elementary School Cyber Education Initiative
  • CyberGenerations: The Senior Citizens’ Cyber Safety Initiative
Picture
As always, your questions and comments are encouraged.  You can also tell me what else you would like to learn about using the "Ask Me" section at the top right of the blog page.

​Michael Polzin, CEO Leeward Business Advisors
0 Comments

What do You Have to Lose? Ransomware Part 1 of 2

10/19/2020

0 Comments

 
Picture
Well, time, money, and important information and data.
“We all like to think we’re not susceptible to social engineering or other kinds of cyberattacks, but the truth is that even intelligent, self-aware people get caught up in online scams that can have very damaging consequences, financially or socially." - Jake Moore, a cybersecurity specialist at Eset, an internet security company.
This blog will focus on ransomware.  You may think that is something that big companies with deep pockets need to worry about.  As hacking gets easier and more complex, it is something every person connecting to the Internet needs to be concerned about. 

This is part one of a two-part blog series on preventing ransomware attacks on your personal devices.  In this blog we will focus on what ransomware is and how you get infected. In part two we will talk about prevention and recovery.
Ransomware is a type of malware.   It is what it sounds like.  Someone hijacks your system, encrypts your data, and won’t give you the key to unlock it until you pay up.

Why would someone target me for ransomware?

​There are many reasons why you might be attacked.  It could be money; the hackers use artificial intelligence (AI) to attack mass amounts of systems hoping enough will fall for it that they can profit.  It could be that you have paid a ransom in the past and are now a “known target” for other hackers.  And maybe the scariest reasons - a grudge or revenge. 
If someone really wants to ruin your day, they can pay criminals to do the dirty work for them - targeting people or groups.  The service is called Ransomware as a Service (RaaS). Cybercriminals provide a compact malicious kit capable of launching a ransomware attack.  This empowers anyone to target you.  They may want access to your information, to leak your information, or just to create a crisis for you.
Picture
How do I know if I have been attacked with ransomware?

It is hard to know when you have been infected until you get a ransom demand, or your computer locks up.  There are many ways that a hacker can “get in.”  The goal is to prevent any malware from penetrating your system, but if it does, you need to act fast and make sure to clean your machine to avoid future attacks. Here are some red flags to watch for:
  • Files: ones you didn’t create or are missing
  • Your credentials (authentication proof) no longer work
  • New software running on your computer
  • Browser changes: redirecting to other sites, new toolbars, etc.
  • A light or sounds coming from your webcam
  • Emails or social media posts you did not send
If you start to see any of the suspicious activities, you want to scan for malware and your overall cybersecurity practices.  You might want to consult a technology expert if you are not sure how to do that.
Picture
​If you suspect you have been hacked do not shut down your machine - unplug network cable and shut down Wi-Fi immediately to prevent spread of the attack.

​How did my computer get ransomware?

This is the part that can get a little overwhelming; however, recovering from an attack will be a much bigger headache.  Precautions are worth every bit of time and extra steps. It can happen to you. Your most valuable resource to prevent malware is you.
Almost all malware is installed by victims themselves unknowingly.
Your mission if you choose to accept…  follow good cybersecurity best practices.
PASSWORD & LINK ATTACKS
I know, you have heard this before.  The problem is people aren’t listening.  Here is a quick reminder. 

Passwords
  • Always use different passwords for each account
  • Change them regularly
  • Make them hard to guess
  • Never share them or keep a list where others can find it

Check out the different Password Mangers out there and check to make sure they are trustworthy.  Multi-authentication Factors (MFA) add extra layers of protection.

Links / Downloads / Texts
  • Never click on a link unless you know it is trustworthy
  • Never respond to or follow instructions in any email until you confirm it came from the claimed source
  • Don’t download anything without confirming it is authentic and secure
  • Be careful with Peer-To-Peer (P2P) downloads.  These are downloads from a 3rd party.  They may be offering a free game or trial. 
  • Contact the text sender if you are asked to share information or get a request that doesn’t seem quite right. (Gift Card Scams)
SOCIAL MEDIA ATTACKS
With the rise in people using social media and so many different platforms, hackers are taking advantage of this avenue of attack.
  • Stop filling out questionnaires, quizzes, and games.  The bad guys often start these going around to gather information that can be used to prove they are you.​
  • Make sure the profile is not fake.  Look to see who their friends are, when they created the profile, how many posts seem generic, etc.
Picture
  • Don’t click on ads no matter how much you want those shoes!  If you see a product or service offered that you are interested in, search for it through a browser and make sure they are legitimate.
  • Don’t friend anyone you are not sure of.
  • If a friend suddenly has a new profile, confirm with them that it is real.
IOT / WEBCAMS / SECURITY CAMERAS
​

Internet of Things (IOT) refers to anything in your home that is connected to the Internet (thermostats, smart lights, etc.).  These are endpoints into your system.  Have you checked their privacy settings?  Are they all kept updated with patches?
​

Be especially concerned if your webcam or security camera is behaving abnormally. 
ONLINE SHOPPING
Who doesn’t like a good deal?  Shopping online is convenient, but you need to be vigilant.
​
  • Always go directly to the website through a browser, not a link or ad
  • Check out the company. Do they have a physical location? Can you find reviews? Do they have a privacy policy?  Did you search for them through the Better Business Bureau or a similar “watch dog” site?
  • Never save your payment information on the site
  • Use a credit card over a debit card.  They provide more consumer protections.  Or a 3rd party service (like PayPal) after checking to make sure they are trustworthy and safe.  Watch carefully for unauthorized charges from your credit card or bank accounts.
These are not the only way you can be infected with ransomware, but these are common, easy, and best of all… the easiest to avoid by following good cybersecurity policies and take preventative steps.

How can I prevent malware on my computer?

There are many important steps (some listed above).  In our next blog we will talk about what tools you can use to offer more layers of protection, specifically backups, antivirus, and education.

MORE RESOURCES:
  • Ransomware-as-a-Service: Ransomware Operators Find Ways to Bring in Business
  • How Can I Tell if a URL is Safe?
  • Creating and Managing Strong Passwords
Sites that offer tons of cybersecurity advice and information
  • National Cybersecurity Alliance
  • KnowBe4
  • FBI - Cyber Crime
  • Leeward Business Advisors Technology Insight Blogs
Picture
As always, your questions and comments are encouraged.  You can also tell me what else you would like to learn about using the "Ask Me" section at the top right of the blog page.

​Michael Polzin, CEO Leeward Business Advisors

0 Comments

To Pay or Not to Pay

10/18/2020

0 Comments

 
Picture
Let’s talk ransomware.  Cybersecurity is all about protecting you and your information.  There are many ways hackers can attack your company.  Most of them fall under the category of malware (malicious software).  We will be focusing on ransomware - a specific malware that hijacks your system, encrypts your files and system then demands ransom to undo it. ​
According to Check Point Research, ransomware attacks doubled between July and September 2020.
You have probably read about larger companies (health care facilities, universities, large chain stores, etc.) being attacked, but hackers are equal opportunity bad guys.  They can target businesses of all sizes. The National Cyber Security Alliance has estimated that 60% of small businesses hit by cyber attacks end up going out of business.
Picture
There are three typical ways malware (including ransomware) gets into your computer.

EMAIL SPAM
You have probably heard about that poor foreign prince who needs your help.  This is an example of incoming spam email with a link or download the hackers hope you will click on so they can enter your system.

INFECTED WEBSITES
You can also be infected from websites.  They may offer free downloads of software or files (like white papers).  This is an easy way for a hacker to infect your system through malware.

P2P DOWNLOADS
Often these download sites are illegal or live on the dark web.  (Like the ones that offer a free video game download.) They are regularly found on social media sites.

Do you see a pattern? 
All these things require a human to click or download without checking out the security of the source. 

​Like most cybersecurity problems, the human element is the biggest risk.

How can I protect myself from ransomware?

​The most important answer is to train your employees. (KnowBe4 is an excellent source to help with this.)  If employees don’t open the door, the ransomware can’t get in.  Create a Culture of Cybersecurity (learn more here).  No matter what other precautions you put in place, it is the people who pose the most risk.  Spending money on training is a wise investment and can save you money and time.
Here are some other ways to make it more difficult for the attackers to get in.  It is best to have a multi-faceted security solution.
ANTIVIRUS PROTECTION
Pick a trusted software - Many retailers have agreements with other companies and get kickbacks for recommending their software.  They aren’t looking out for your best interest; they are looking for profit. Look into tamper protection that prevents malicious software from turning off the antivirus application.

BACKUP DATA & SYSTEMS
Ransomware can encrypt your backup drive as well.  You need to be backing up to a location you can then disconnect from your system.  If your backup is connected to your network and the network becomes infected, your backups will too. Update often and keep incremental backups. Think about what data you have accumulated since your last backup.  Can you afford to lose that?  You should talk to your IT department or support team to make sure your backup system is as secure as you can make it.

UPDATES AND PATCHES
When software and hardware come out with new patches, it is to fix something.  They may have become aware of a vulnerability and are updating to protect you from it.  Make sure that your updates are being managed.

RESTRICT ACCESS
Only give your employees access to the information they need.  You should also whitelist safe websites, plug-ins and add-ins for your browser and email.  Instead of blocking what you feel might be dangerous, avoid the risk by only allowing already known safe sources.

MONITOR
The earlier you become aware of a problem, the less damage it is likely to cause.  Have someone tasked to manage your cybersecurity and watch for clues of attempted and active attacks. 
​

OTHER LAYERS OF PROTECTION
  • Ad blocking software within browsers
  • Never enable macros
  • Content security tools can alert you to file extension discrepancies
  • File level encryption
  • Never use public Wi-Fi

What do I do if I am attacked with ransomware?

​There are many important steps to take if you are attacked.  You should work with your IT department or IT support team to create a plan for protection and remediation. 
One thing you should make sure all your employees know if a ransomware screen does appear on their workstation:
DO NOT shut down the machine.  Instead the employee should unplug the network cable from the machine or disconnect from Wi-Fi immediately.

Should I pay the ransom when attacked by ransomware?

This is often debated, but the FBI recommends you do not.  The hackers are looking for a payday.  They can either sell the information they access on the dark web, leak it to hurt your company, or just want the ransom money.

IF YOU DO NOT PAY
  • May lead to leaked data
  • If not handled correctly, your reputation may be compromised
  • Your system and data could be completely wiped out

IF YOU DO PAY
  • The ransom may be used to research and develop even more potent attacks
  • You could be added to a list of companies who pay ransom and open yourself up to additional attacks
  • You have no guaranty that the criminal will give you back your data.
  • You may still be infected, and they are waiting to strike again.
  • You could face all the consequences of not paying and be out the ransom money.
On a final note… ALWAYS report it.  There are too many reasons why this is important to go into in this blog.  Here are some great links to give you more information on the why and how of reporting attacks.
​
  • Should I Report Ransomware to Authorities? (Top Reasons/Concerns)
  • FBI’s Internet Crime Complaint Center (IC3)
  • How to Report Ransomware to Authorities
  • Video: Feds Fighting Ransomware: How the FBI Investigates and How You Can Help
Picture
BUT WAIT, THERE’S MORE
  • Ransomware Protection & Removal: How Businesses Can Best Defend Against Ransomware Attacks (Great info provided by 44 security experts)
  • How much should you spend on security?
Leeward Business Advisors can help you do all of these things no matter how big or small your business is.  
Picture
Elite services are perfect for businesses with 1-50 employees. You don't need a full IT department to have dependable, secure technology that meets your specific needs.
Picture
Enterprise services are perfect for businesses ready to optimize their current technology.
Leeward Business Advisors can help you support, upgrade, secure, and maximize the value of your technology investments.
Picture
As always, your questions and comments are encouraged.  You can also tell me what else you would like to learn about using the "Ask Me" section at the top right of the blog page.

​Michael Polzin, CEO Leeward Business Advisors
0 Comments

Where did I leave my wallet?

10/12/2020

0 Comments

 
Picture
Isn’t that the worst feeling?  That fear of valuable personal information being in the hands of someone else is scary!  You would most likely check all your financial accounts and notify them of the loss - as you should.  But there are many other ways the bad guys can get that personal information and more that you may not be aware of or monitoring. 
​

You may feel that you won’t be a target because you aren’t a company or think your information isn’t valuable.  Wrong!  Your info is extremely valuable on the dark web.  (learn more here)
One of the newest trends in cybersecurity is two-factor authentication (2FA) and multi-factor authentication (MFA).  Most of us are guilty of using the same password across multiple accounts.  In fact, password hacking is one of the easiest ways for hackers to access your personal data.  To combat this, many websites, apps, phones, and accounts require MFA. 
​

I know what you are thinking... “Oh great, another step.  I just want to log in.”

Why do I have to enter another code?

Here is some entry level information explaining what 2FA and MFA are and why you need to enter that additional code.

​VOCABULARY

Factors - The things you use to prove you are who you say you are and have permission to access the information you are trying to get to.
Multi-factor Authentication - Using more than one factor to prove your identity
Two-factor Authentication - Using specifically two factors to prove your identity
Identity - A unique label given to each individual (an email, username, etc.)
Authentication - The process proving ownership of an identity
Let’s say you want to set up an account on a website or app.  They are going to have you set up a username/log in (your identity) and a password (one factor of authentication).  It is now common that they will also ask for a cell phone number to text you a code to enter on the site (an additional factor).   
​
THREE KINDS OF FACTORS

There are three kinds of factors.  Multi-factor authentication requires you use factors from two or more of the categories.  If a hacker gets your password, chances are they don’t have your phone (or vice versa).  By requiring you to have something you know and something you own, it reduces the chances of a hack.
Picture
After you provide the correct factors (proof of who you are), the site authorizes your access.  Sometimes you need to provide your proof factors each time you log in; sometimes the authorization times out and you must re-enter it.  This is a precaution to protect you if you walk away from your computer or phone.

What are the safest factors to use for MFA?

Something you know is the easiest to hack.  Your password maybe something easy to find out. Something you are is the safest.  Something you have strikes a balance between those two.

The National Cybersecurity Alliance defines some of the most common 2FA methods:

SMS 2FA
One-time passwords are sent via SMS (text message) and once received, the code can be copied and pasted into an application. Because of phone number porting scams and SIM swapping, this method has a poor security rating.

AUTHENTICATOR APPS
An authenticator app such as Google Authenticator is downloaded to your mobile device, and once you scan a QR code in your account’s security settings, the app stores one-time codes that are only valid for a limited amount of time. Although this method is more secure than SMS, it still relies on a mobile device, which isn’t always available or convenient. 

SECURITY KEYS
A hardware security key is the most secure and convenient 2FA option. In fact, a recent  Google study found that security keys were the only method to prevent account takeovers 100% of the time. Security keys, such as a YubiKey, require physical access to the device to log into an account, preventing sophisticated breaches and remote attacks. When prompted during login, you simply need to touch the device to verify your identity. Think of the security key as if it were a physical key to protect your digital world.

How do I protect my personal information from hackers?

  • Follow best practices for creating secure passwords 
  • Enable MFA when available
  • Don’t fill in those social media quizzes.  It may be fun to see what elementary school your friends went to, but those are often created by hackers to gather the information you may use for your password
  • Try to avoid sites and apps that don’t offer MFA (especially for health and financial sites)
  • Don’t use the “remember me” feature
  • When you get those emails letting you know someone had changed something on your account - don’t click the link in the email - go directly to the account on your browser and check for any changes you have not made

It may seem like one more time-consuming step, but you will spend a lot more time (and probably money) if you are hacked.
More helpful resources
  • Back to Basics: What's multi-factor authentication - and why should I care?  National Institute of Standards and Technology blog
  • ​Find out if your organization's MFA solution can be hacked by the bad guys now!
  • ​National Cybersecurity Alliance ​​
Images provided by KnowBe4
Picture
As always, your questions and comments are encouraged.  You can also tell me what else you would like to learn about using the "Ask Me" section at the top right of the blog page.

​Michael Polzin, CEO Leeward Business Advisors
0 Comments

The Golden Ticket

10/8/2020

0 Comments

 
Picture

​What is 2FA and MFA?

​There is a lot of buzz around 2 Factor Authentication (2FA) and Multi-factor Authentication (MFA). Factors are the “keys” used to unlock access to your valuables.  Anyone with the right keys can open the door and make themselves at home.  If you require more than one authentication factor, things get more difficult for the bad guys. 
​
FIRST, SOME VOCABULARY
Factors - The things you use to prove you are who you say you are and have permission to access the information you are trying to access. (Also referred to as "proofs")
Multi-factor Authentication - Using more than one factor to prove your identity
Two-factor Authentication - Using specifically two factors to prove your identity
Identity - A unique label given to each individual (an email, username, etc.)
Authentication - The process proving ownership of an identity
Tokens - A piece of data that is passed from one computer to another letting it know your authorized and have permissions to access the site/data
“With the rise of account takeovers, usernames and passwords just aren’t cutting it anymore. A static string of letters, numbers and symbols — no matter how complex or how often its changed — is one of the weakest (and easily forgotten) forms of account protection for hackers to bypass.”

​-Ronnie Manning, Chief Marketing Officer, Yubico (
National Cybersecurity Alliance Article)
The token is the golden ticket.  The computer doesn’t know or care who holds the token.  In other words, if a hacker gets your token, they are as good as you in the eyes of the computer and will open the door. 

​A company needs to be very careful that the people who are accessing information are the people who have the permissions to do so.  MFA is a great way to increase your security; however, it is not a guarantee.  To protect your business, you need to understand what MFA is, how it works, and how to minimize the risk of a security breach when using MFA.
Picture
From KnowBe4’s 12+ Ways to Hack Multi-factor Authentication by Roger Grimes

​The Identity and proof factors are stored in at least one database.  That storage is often not on the server directly involved in the authentication.  MFA solutions are offered by hundreds of third-party vendors.  These third-party storage locations are a possible point of compromise in your security.  Companies need to know where authentication proofs are stored, who has access to the locations, and how trustworthy that storage is. 
​
Always make sure your authentication storage is being aggressively monitored and restricted to just a few essential administrators.  The authentication process can not be trusted if the storage is not secure.
Of course, like everything with cybersecurity, it is the user that is the weakest link.  Learn more about how to get your employees to embrace cybersecurity protocols and creating a Culture of Cybersecurity.

​This is a basic overview to get you headed down the right path.  We haven’t even touched on the different kinds of factors, authenticator apps, security key hardware… the list goes on. You want to make sure you are consulting an IT resource when picking which is the best type for your protection.
Picture
(Blatant self-promotion - Leeward Business Advisors is an amazing IT resource!)
OTHER RESOURCES
  • This free webinar from KnowBe4 is about the use and vulnerabilities of MFA.  The first part explains about MFA and the remainder of the webinar shows how MFA can be hacked and how you can protect yourself from those attacks.  12 Ways to Defeat Multi-factor Authentication
  • Multi-factor Authentication Basics and How MFA Can Be Hacked
  • 6 Must-dos When Preparing Your Business for Multi-factor Authentication
Picture
As always, your questions and comments are encouraged.  You can also tell me what else you would like to learn about using the "Ask Me" section at the top right of the blog page.

​Michael Polzin, CEO Leeward Business Advisors
0 Comments

Cybersecurity is a Work Issue, Right?

10/1/2020

0 Comments

 
Picture
It is if you have nothing in your home that is connected to the Internet.  So basically, no.  Think about all the devices you use every day that is connected online.  Each one of those endpoints is a door that opens to your information. ​

​“Why would hackers want my information?”

Whether you are working from home or just like to play Candy Crush on your smart phone while streaming a movie, you are vulnerable to cyber-attacks.  In fact, hackers know that you don’t have an IT department in your house watching out for you, making you an even more desirable target.  Every endpoint you have is an entryway for cyber predators.​
Picture
Think of all the information about you and your family that is accessible online: medical records, financial records, where you live, where your kids go to school, passwords to… well everything.  All these pieces of information have a value on the dark web (a hacker’s candy store).  They can even hack into security cameras and see directly into your home.

And it doesn’t take a lot of effort for the hackers.  In fact, most bad guys don’t look like bad guys.  They sit in a room running artificial intelligence (AI) programs that automatically crawl the web looking for unlocked doors and windows, thousands at a time.  This means they can find a lot of information quickly that adds up to a pretty paycheck for their limited efforts.
“How do I know if my home is cybersecure?
The good news is there are tons of resources out there to help you protect your devices and you.  You can take self-assessments and scan for vulnerabilities (Bitdefender is a great place to start). If your employer has an IT department, they may have more advice for you.  Make sure to keep up on what is new and trending.  Hackers adapt their methods quickly and each new technology brings its own vulnerabilities. ​

How do I protect my home network from hackers?

Start paying attention and think like a hacker.  Hackers are crafty and gather your information in very clever ways. 

Have you ever filled out one of those fun questionnaires on social media?  You know, the ones that provide all kinds of fun little facts about you like where you went to elementary school, your pet’s name, your favorite color….  Guess what?  Those are often the questions used to verify you are who you say you are when you log in or change a password.

Some basic “must do” steps to make you less of a target:
  • Don’t use public wi-fi
  • Use a secure password manager to help you remember what your passwords are - and change them often
  • Check the preset privacy options on all your devices and adjust them for optimum safety
  • Don’t assume the security software that comes with your hardware is really the best option
  • Beware of not only phishing emails, but fake social media profiles and requests that look like they came from someone you know
  • Don’t use free or unknown USB drives - a favorite way to sneak malware into a network or device
  • Delete bloatware
  • Make sure when backing up your data to the cloud, it is secure
  • Always, always, always do the suggested updates and patches so you have the latest security updates (I know it is annoying, but so is being a victim of an attack)

LEARN MORE
​
Check out these other helpful resources
The Dangers of Hacking and What a Hacker Can Do to Your Computer
Internet Safety: How to Protect Yourself Against Hackers
National Security Agency Central Security Service

Picture
As always, your questions and comments are encouraged.  You can also tell me what else you would like to learn about using the "Ask Me" section at the top right of the blog page.

​Michael Polzin, CEO Leeward Business Advisors
0 Comments

"Just because I am aware, doesn’t mean that I care." - Creating a Culture of Cybersecurity

10/1/2020

2 Comments

 
Picture
​The concept of cybersecurity isn’t a new one.  Unless you have been too busy playing Oregon Trail on your Commodore 64, you have probably heard about malware attacks, viruses, ransomware, phishing… the list goes on.  Whether you are a huge company with hundreds of employees, or your only employee, it must be addressed.

So, if we are all aware of it, why do so many cyber-attacks and breaches still occur?  Because your cybersecurity is only as good as the people who use it.  The human element is the weakest link in your cybersecurity plan.  While cybersecurity may be a priority for you and your IT department, your employees might be more focused on wading through their inbox, meeting deadlines, and balancing their work/home lives.  Once you have cybersecurity plans, procedures, and policies implemented, you need to engage all your employees in following them. 

​How do I get my employees to care about cybersecurity?
​
​
​The good news is that you can create a culture of cybersecurity within your business that supports and promotes good security-hygiene for all employees.  Two key elements of a strong cybersecurity culture are: buy-in and training.

​
Picture
BUY-IN
​

Successful cybersecurity requires every part of your organization being concerned and on the same page.  Understanding the why is as important as understanding the how.   Each department plays a role in building and maintaining the culture.

​Senior leadership is not only responsible for monitoring the culture and making changes for organization-wide collaboration; they are visible to the entire organization and need to model good cybersecurity behavior.  HR should help employees understand the importance of cybersecurity procedures, gather feedback to inform changes, ensure reporting and accountability.  The IT staff bridge the business, operational, security, and technology requirements necessary to create and maintain the culture.  They can help simplify policy adoption and ease of use, as well as assess risk, and develop strategy.  All these steps help users understand the importance and take ownership of their part in the plan.
TRAINING
​Cybersecurity training isn’t something you do once a year and check off your list.  Threats are fluid and you need to be continually revising your plan to make sure you are not only addressing each issue one at a time, but continue to use each situation to adapt and build a stronger wall of protection.
​

Many businesses continue to invest in hardware and software to protect them from cyber-attacks, but do not budget for training.   If you do not train your employees how to use the security plans you have in place, you are not getting the most out of those investments.

​How do I manage my cybersecurity?
​
What if you don’t have an IT department or other employees tasked with monitoring and developing an action plan?  There are many IT service providers (Hey, how about checking out how Leeward Business Advisors can integrate into your team to support your IT needs?)  and cybersecurity training programs (KnowBe4 is excellent) that can help you manage your cybersecurity needs.  

An investment in a sound cybersecurity action plan can save you the expense of remediation and attacks.
Picture
LEARN MORE

Here are some helpful resources to continue learning about how to develop a cybersecurity action plan to protect your business and customers.
​
National Institute of Standards and Technology U.S. Department of Commerce
KnowBe4 Security Culture Survey
PWC’s Workforce Pulse Survey
TechRepublic Article on Employee Engagement
Picture
​As always, your questions and comments are encouraged.  You can also tell me what else you would like to learn about using the "Ask Me" section at the top right of the blog page.

​Michael Polzin, CEO Leeward Business Advisors
2 Comments

Four Basic Elements of a Business Network

4/27/2020

1 Comment

 
Picture
For more details about each element...
Router
Firewall
Switches
Wireless Access Points
1 Comment

Sonder

3/11/2020

0 Comments

 
A successful leader needs to meet people where they are at, invest in their holistic development, and be fully committed to mutual success. Anything less is likely to put your organization on a path to a degraded culture that can lead to an unnecessarily high turnover rate.
A poorly performing culture and consistently high rate of exodus will hit your bottom line hard and fast. Over time, it can start to impact your top line revenue as unhappy employees tend to create unhappy customers. One need not look any further than bi-partisan politics to see that when mutual success is not a priority, calamity and frustration can ensue.
What is Maslow's Hierarchy of Needs?

​Early in my management career I was introduced to Maslow's Hierarchy of Needs
through the lens of leadership. If you are not familiar with Maslow’s theory, here is a quick overview.
Picture
The needs at the base of the pyramid must be met before people can move on to needs higher up on the hierarchy. 
Why aren't I as happy as everyone else?

​It seems quite commonplace for people to assume only they themselves have complicated and sometimes messy lives. We tend to look upon others and assume they are happy and whole. We glean this assumption from minimal evidence gathered while observing their emotional facade. ​Our opinion of their life comes from our observation of their smile, happy social media posts, and that one afternoon we spend at their house watching the Superbowl.

​Every now and then, we get a glimpse into another personal reality and only then realize how many hurdles they must clear every day, just to make it to work. The online world of social media and blogging even has a word for it, sonder. ​
sonder
n. the realization that each random passerby is living a life as vivid and complex as your own—populated with their own ambitions, friends, routines, worries and inherited craziness—an epic story that continues invisibly around you like an anthill sprawling deep underground, with elaborate passageways to thousands of other lives that you’ll never know existed, in which you might appear only once, as an extra sipping coffee in the background, as a blur of traffic passing on the highway, as a lighted window at dusk.

​The best employees, the most successful people, are self-actualizing. They develop a drive and desire within them to be better, do better, and often lift up those around them. These are often the people among us that have great ideas, drive innovation, seem to effortlessly tackle that big project and then do not brag about it.

In my personal experience, co-workers and good leaders, that 
were self-actualizing, did all those things and then still found time to help and mentor me, and were happy to do so! There simply is no book, college course, or weekend seminar to achieve self-actualization overnight. It is, instead, a journey. Often the path is riddled with derailments, resets, and setbacks. The journey never really ends.

As with any journey, most of us need a guide. While Google Maps has made many great advances, they still have not quite figured out a GPS feature 
for our lives. The role of guide can, and in my opinion should, be filled by a good leader.

Given the simplicity of meeting people where they are at, it perplexes me that so few leaders and companies pursue this approach within their corporate culture. It is even further baffling when, as I have, you see firsthand the benefits of this approach and still do not commit to it. To be fair, I slip up from time to time and catch myself failing to follow my own advice in some situations. Regardless of my human fallibility, it is always my intention to meet people where they are at and it is also a skill that must be in continual development.
Here is a detailed framework of how to shift your leadership style to consistently meet people where they are at:
Step 1: Listen to people with a commitment to hear them.
Step 2: See Step 1.
How can I be a better leader?

​Granted, the details of this framework are much easier to type than it is to practice its practical application. The good news is you need not be an expert day one. The biggest hurdle I see 
most leaders face is making the time to ask someone how they are doing and then commit to the conversation to work past the happy facade. Some of the worst managers I ever worked for intentionally took an opposite approach. If anyone has ever told you to ‘check your baggage at the door’, and you were not standing at the jetway of a plane, you have experienced the negativity of that tactic.
MANAGERS
An employee with a less than ideal attendance record gets called into their manager’s office.
Manager: This is not the first time I had to review the attendance policy with you. I am submitting a formal write up to HR. The next time this happens, you will be fired.
​

Employee: I am sorry, it won’t happen again.
Two weeks later the employee is late again and the manager fires them on the spot.
Do you see any reason this manager was not justified in their approach or any reason to not support firing the employee? They violated the attendance policy, they were warned, they re-offended, they were fired. Seems pretty cut and dry by any employee handbook standards. However, let’s try a different approach, let’s explore sonder and Maslow’s hierarchy of needs this time around.
LEADERS
An employee with a less than an ideal attendance record gets called into their leader’s office.
Leader: Thank you for making time to meet with me. Are you doing okay?

Employee: I’m fine, thank you.

Leader: Do you know why I wanted to meet with you?

Employee: I’m sorry I was late again, is that was this is about?

Leader: Would you please help me understand what barriers are keeping you from getting to work on time?

Employee: Well, as you know, my father has been sick. My mother was taking him to his doctor appointments, but fell recently and won’t recover enough to drive for a few more weeks. My parents can be a bit forgetful and have been asking me at the last moment to help get dad to the doctor.
I keep thinking I can get there and back in time, but it has been one thing after another. Today, his doctor was 20 minutes late to start the appointment and then they changed my dad’s medication and I had to wait for 
the pharmacy to fill the new prescription.
Two weeks ago I got a flat tire on the way back and it took me nearly an hour to get it changed on the side of the road with my ailing father in the car unable to help.


Leader: I am very sorry you and your family are having a difficult time. I understand caring for a loved one can be difficult and complicated. Did you discuss this with your manager?

Employee: Yes, they told me my parents don’t work here and it is not this company’s responsibility to shuttle people to doctor appointments. He said if I was late again it would cost me my job.
Part of my income is going to help cover the cost of my dad’s treatments and I really need this job, but he has no one else to get him to the doctor.


​Leader: It sounds like you are in the middle of a very frustrating situation without a lot of options. I want to help, because I want you to be fully supported in your role and our company wants you to be successful here.
There are a few non-profit organizations in town that can provide medical transportation services. Also, it might be possible for your dad to authorize you to be informed by the doctor of scheduled appointments. Perhaps if you can talk to the doctor and pick an appointment time with less risk of conflicting with your work schedule it might be easier to balance.
​We could also explore a temporary change in your working schedule, if we could start your shift 30 minutes later on the days your dad has an appointment, would that help?
The leader and employee come up with a plan.  Expectations and consequences are outlined and monitored.  The employee is heard, helped, and held accountable.
LISTEN
This fictitious scenario is based on a number of very similar situations I have helped my employees navigate. Listening with a commitment to hear, can uncover a number of viable solutions that provide a mutual benefit. Just because you as an experienced leader can think of several solutions, it does not mean your employees have the same knowledge or experience to help them navigate. 

​If you have the mentality of a manager, you may read this and think, this is not my job, I do not have time to waste on employees that cannot show up on time, why don’t they just have someone else deal with his dad, and so on. If you have the mentality of a leader, and meet this employee where they are at, your reaction will be much different.

​A quick recall of the Maslow Hierarchy will remind a leader, that at this moment of life, your employee is operating at the very low end of the needs pyramid. They are worried about their “safety needs” and might even have some ongoing concerns in the “physiological needs”. A rather simple, and brief, check in with this employee and few supportive suggestions, could quickly move this employee up a few levels.
How can I improve our corporate culture?

​An amazing, and frequent 
outcome of this approach is a corporate culture that prioritizes the well being of each other. A team guided by a leader that consistently meets them where they are at can form a strong culture within the team. As that grows, peers will invest in each other’s success and increase their personal commitment to their team and the entire company. Additionally, time spent helping an existing employee overcome life’s challenges it less expensive and less time consuming than hiring a replacement and repeating the cycle.
MEET THEM WHERE THEY ARE AT
In our company this element of our culture is very strong. Employees have helped each other overcome housing challenges, coordinated car pools to resolve transportation issues, back each other up when babysitters fall through, and much more. It has not stopped there. Our employee’s treat our customers with the same "meet them where they are at" approach and listen with a commitment to hear them. Instead of serving our customers at arm’s length, our team becomes a part of their team and a partnership is built and nurtured with every interaction.
​
There will be bad actors. It seems to be an unfortunate inevitability. Putting this approach in practice can expose your organization to the risk that someone will take advantage of your support. The best counter measure is to ensure your company policies and employee handbook have a complementary framework. If an employee repeatedly misses agreed upon remediation goals and their performance is still missing the mark, dismissal may still be the best outcome for both parties. As a leader, you will know you did everything possible to help the employee be successful, even if the final outcome means they need to find their success elsewhere, they will still be better off for your guidance and demonstration of compassion.
​
Picture
​As always, your questions and comments are encouraged.  You can also tell me what else you would like to learn about using the "Ask Me" section at the top right of the blog page.

​Michael Polzin, CEO Leeward Business Advisors
0 Comments
<<Previous

    Author

    Michael Polzin is the CEO of Leeward Business Advisors. He has over 25 years experience in Information Technology.

    View my profile on LinkedIn

    Archives

    October 2020
    April 2020
    March 2020
    February 2020
    January 2020
    December 2019
    November 2019

      Ask Me

    Submit

      Get Blog Posts in Your Inbox

      We will only email you our blog posts and LinkedIn articles.  If you have questions about our services, please fill out the "Questions?" form ​https://www.leewardba.com/contact.html
    Subscribe
Picture
520 58th Street, Kenosha, WI 53140
(262) 358-4116  contact@LeewardBA.com
​In a world of Managed Service Providers, we are your Integrated IT Service Provider. 
We don't just manage, we integrate with your business!
How can we help?
The American Entrepreneur featuring Michael Polzin and Leeward Elite.
Learn the story of our CEO, Michael Polzin and the founding of Leeward Elite.
  • About You
  • Don't have an IT Department?
  • Need IT Department Help
  • Pricing
  • Technology Insights
  • About Us
    • Our Team
    • Community Engagement
  • Questions?