Facebook-f Twitter Linkedin-in

bad actors

The Necessity of Dark Web Monitoring

by

Protect your identity and business with a consistent watchdog service

We’ve all read about the constant barrage of cyberattacks on businesses and the nightmare that comes from having your personal identity stolen. There are ways to reduce the odds that your business will suffer such an attack or that your personal information will be hacked. One of the best methods for protecting both your business and your identity as well as that of your family is consistent monitoring of the Dark Web.

What Is the Dark Web?

The Dark Web is just what it sounds like. It’s the shady side of the internet. The Dark Web lays in a sub layer of the internet known at the “Deep Web.” This is a place hidden from conventional search engines where criminals often roam searching for their next victim.

Believe it or not, common search engines including Google, Bing, and Yahoo simply scratch the surface of what is actually available online. Such search engines hunt just .04 percent of the indexed internet. The other 99.96 percent of the web consists of databases, private academic and government networks, and the Dark Web, according to ID Agent, which provides comprehensive threat intelligence and identity monitoring solutions for both individuals and businesses through ORAM Corporate Advisors.

What Threat Does the Dark Web Pose?

Not only is the Dark Web a place that threatens your personal identity but it can endanger your business as well. This is a place where the signature pieces of your personal identity (name, date of birth, stolen passwords, and even social security numbers) can be sold daily to the highest bidder. Everything from your credentials such as email logins, passwords, and usernames can be found there.

With such personal information, criminals can hack your email, your bank accounts, and more. They can open new credit card accounts in your name without your knowledge and rack up untold sums of debt before you’re even aware there’s a problem. The threat of personal identity theft can extend beyond you as well to other family members such as your spouse, your children, and your parents.

The loss of such personal information can be devastating to your business, too. Critical business information such as business applications, email, and other online services can be penetrated with your personal information. Logins and passwords can be changed, business information can be accessed and stolen, and your organization can be brought to a complete halt with the personally identifiable information (PII) bad actors are hocking on the Dark Web. Read the ORAM blog “The Dark Web: What It Is, How It Impacts Your Organization, and Ways to Protect Your Business” for more detailed information about the severity of the threat your business faces as a result of the Dark Web.

Protecting Yourself, Your Family, and Your Business

The most effective way of protecting your PII, your family members’ PII, and your business is through Dark Web monitoring. ORAM uses SpotLight ID, which employs Dark Web ID, to monitor your identity and that of your covered family members. Through leveraging Dark Web ID, ORAM focuses on the cyber threats specific to you and the environment you work in. Our proprietary software continuously monitors the Dark Web and the digital criminal underground to determine if our clients’ credentials have been exposed.

With SpotLight ID, ORAM searches for your personal information on the Dark Web. If found, your data is harvested to protect it from typical hacker sites such as Pastebin. Many such sites frequented by cybercriminals require a membership and credibility to enter. Our monitoring system allows us access to search more than 500 internet relay chatroom (IRC) channels, 600,000 private websites, and 600 Twitter feeds utilized by bad actors.

Furthermore, SpotLight ID executes 10,000 queries daily to help monitor and protect your identity and those of the people you love. We also monitor and source information from hidden theft forums, peer-to-peer file sharing programs and networks, and social media. We can even find compromised data harvested through botnets and command and control (C2) servers.

Be On Alert

If your information is identified on the Dark Web, we notify you immediately. This allows you the opportunity to change your logins and passwords before cybercriminals can take advantage of the information they have. This also gives you time to consult with your business’s internal or external IT team as soon as possible to determine if a data breach or cyber incident has occurred using your credentials. Such monitoring and notification can buy your business the time it needs to change your username, login, and password before cybercriminals can strike against it.

In addition to monitoring the Dark Web for your PII, ORAM will alert you if someone actively targets you or your covered family members’ social media profiles. You’ll also receive instant updates, alerts, and access to your credit from all three major credit bureaus if something changes with your credit or that of your covered family members.

Monitoring of the Dark Web also gives you peace of mind that your identity and that of family is covered. With a team of U.S.-based Certified Identity Restoration Specialists, ORAM will work to completely restore your identity should the worst happen, even if the issue began before you enrolled for coverage. You can take even more comfort in knowing that with SpotLight ID, you have up to $1 million in identity insurance to cover related restoration expenses if needed.

If you are interested in learning more about SpotLight ID or registering in one of our affordable and flexible plans, contact ORAM Corporate Advisors online now or call us at (617) 933-5060. The cybersecurity experts at ORAM are here to protect you, your family, and your business from the threat of cybercrime.

Major components of a solid cybersecurity plan for businesses

by

It happens every day. Businesses of all sizes experience data breaches which can lead to the loss of proprietary or private client data, damage a company’s reputation, or even unleash lawsuits. The consequences can be so damaging, in fact, that an organization may face closure as a result.

In addition to the aforementioned concerns, small to medium-sized businesses face additional challenges that larger businesses often don’t; a lack of IT personnel, funding for strong IT, and knowledge for developing a cybersecurity plan, for example. With that said, there are several major components every business owner and leader should consider when creating a solid cybersecurity plan that will serve to best protect their organization.

IT Audit
The first step in creating a cybersecurity plan for your business is to conduct an IT audit. An IT audit is when your company’s information technology (IT) infrastructure, policies, and operations are examined and evaluated for security purposes and to see if they measure up to best practices. This will help determine where your security is strong and where it needs improvement.

Information technology audits allow businesses of all sizes to determine if the controls (hardware, software, practices, and policies) they have in place protect the company’s assets, ensure the integrity of data, and align with the organization’s overall goals. These audits are typically conducted by IT auditors who examine the physical security of your business in addition to the security of your information systems ranging from financial controls to your company’s overall business policies.

Some IT organizations such as Oram Corporate Advisors offer free technology assessments to get you started. These free technology assessments can assist in strategically evaluating whether your IT infrastructure is ready to grow, identify areas of opportunity for improvement, and can “red flag” areas that require deeper analysis and adjustments. Just remember that all technology assessments are not created equal and you often get what you pay for.

When it comes to IT audits, they can be expensive, but businesses need to have them to secure their organizational data, assure clients that their information is safe, and to protect their reputation. Additionally, many industries are now required by their state and/or federal government to participate in regular audits among other IT regulations. Be sure to check with your state and federal government to determine if your business is affected by such IT regulations. Your IT auditor should be able to answer these questions for you as well and assist your business with regulatory compliance requirements.

The cost of an IT audit can be prohibitive for many small to medium businesses. As a matter of fact, they can run into the thousands depending on how much work has to be completed to conduct the audit. Fees are typically charged on an hourly basis and can range from IT company to IT company. Most IT auditors should be willing to give you a free estimate, however, so you know what your investment will be.

Employee Training
The next step in developing a solid cybersecurity plan for your business is to train your employees. After all, your employees can be your strongest line of defense or your weakest link. Information technology best practices require regular IT training for all employees.

Every employee should know certain IT rules such as not opening emails or attachments from unknown or untrusted sources. Phishing scams are one of the most common ways hackers attempt to infiltrate business networks using email. Other items employees should be trained on include spear-phishing, executive whaling, and malware. Training should also include specific company IT policies and procedures that support better data security. Employees should also be trained in a myriad of other topics such as the proper disposal of confidential data (both digital and hard copy), how to handle requests for information, and how to report a suspected breach.

A blog by Forbes magazine online offers small and medium businesses five tips on how to train employees. While these are general training guidelines for any type of employee education, they can also be applied to IT training. In addition to hosting your own educational meetings, most IT companies offer employee training for best IT practices as well. The cost for such training will depend on which company you hire, how frequently you wish to schedule training, and how many employees you have.

Your WISP
The third component of your business cybersecurity plan should be your written information security plan or WISP. This encompasses many items and includes several steps in and of itself. You will need to sit down with an IT specialist and outline a WISP that is specific to your business and the information it holds. Your WISP will need to include the following at a minimum:

Objective– Outlines your WISP including the creation of effective administrative, technical, and physical safeguards for the protection of personal and proprietary information.

Purpose– Outlines what your WISP will do such as ensuring the security and confidentiality of personal information, protect against any anticipated security threats, and protect against unauthorized access or use of information.

Scope– In formulation and implementing your WISP, outline the scope of the plan including reasonably foreseeable internal and external risks, the potential and likelihood of damage caused by such risks, evaluate the sufficiency of your existing IT policies, and design and implement a WISP that puts safeguards into place to protect data. In addition, regular monitoring of the effectiveness of those safeguards should also be included.

Data Security Coordinator– Designate a data security coordinator in your WISP that will implement, supervise, and maintain your written plan. They will head the initial implementation of your plan, train employees, and regularly test the safeguards outlined in the WISP. The security coordinator will also evaluate the ability of each third-party service provider to supply appropriate security measures for information to which they have access. They will also review the scope of the security measures in the WISP and conduct annual training for all employees including the owners, managers, and independent contractors as well as temporary employees who have access to personal information.

Internal Risks– Identify probable internal risks to security, confidentiality, and/or integrity of electronic, paper, or other records containing personal or proprietary information. Also evaluate how to limit such risks and implement necessary measures for reducing them.

External Risks– Identify probable external risks to security, confidentiality, and/or integrity of electronic, paper, or other records containing personal or proprietary information. Also evaluate how to limit such risks and implement necessary measures for reducing them.

Implement Your Plan
Implementing your business’s cybersecurity plan is the next step. This includes adding data security features you have opted to employ in addition to making employee training a reality, integrating new software such as updated anti-virus and/or firewall programs on your network, and updating patches to existing software.
Other layers of your cybersecurity plan should include:

Social Media Education– Hackers can find personal information online from social media sites such as Facebook, Instagram, and LinkedIn that they can use to manipulate employees of companies, getting them to disclose personal or sensitive information. Train employees about social media best practices as well as the use of different passwords for each site, software, or application they use. Emphasize your company’s security protocols as well as IT best practices such as the use of least privilege.

Let’s Get Physical, Security– While you may think your building is secure enough to protect your sensitive data, good hackers know how to penetrate this type of security. Be sure not to leave computers exposed and destroy all hard drives using professional services. Physical security breaches can be avoided by encrypting hard drives, leveraging cloud backups, and enclosing hardware ports exposed to the public. Employing theft recovery software, checking door locks and cameras, and properly disposing of shredded paper also help.

Wi-Fi Protection– Wireless internet can also pose a threat. Wi-Fi signals can extend beyond office walls. A bad actor can connect to your signal from far away and infiltrate your network where they can steal files containing proprietary or personal information. Businesses should employ WPA2 (Wi-Fi Protected Access 2) protocols as they are safer than the old WEP (Wired Equivalency Privacy) or WPA (Wi-Fi Protected Access) protocols. Ensure your router has a strong, unique password that is not easily guessed.

Password Protocols– Passwords should be changed often and kept private. Train employees on this and teach them that the strongest passwords include uppercase and lowercase letters, numerals, and special characters. Additionally, passwords need to be different across all accounts. The best way to remember passwords is to use a password manager. There are some free password managers available but the most secure ones typically charge a small annual or monthly fee. Most also allow businesses to sign up for a membership that covers all employees.

Two-Factor Authentication– Even with difficult, unique passwords on every account, seasoned hackers can often penetrate security. As a backup, it’s best to employ multifactor authentication wherever possible. Most large companies use it including Apple, Google, and Dropbox. Using a mobile number and/or email account, multi-factor authentication provides an added level of security. Your business can also implement it with other applications and services as well. New technology such as facial recognition, fingerprints, and/or ultrasonic sounds are on the near horizon and companies should prepare to employ more secure technologies as soon as they are commercially available.

Email Security– This is the most necessary asset for your business to protect. Once in your email, hackers can reset passwords and wreak all types of havoc so be sure to prioritize protecting company email. Never click links in emails or attachments from untrusted or unknown sources as these could take you to a phishing site that looks like a real website. Using Google Gmail and Google Apps is recommended given they have the best spam, virus, and phishing protections available in addition to multifactor authentication already built in.

Anti-Virus– Keep your anti-virus updated at all times. While this helps protect your email and other sensitive information, new malicious viruses are always being created. That means anti-virus companies are always updating their software to address the threats on their “blacklists.” Consider using a service that employs a “whitelist,” which only allows software and programs that are pre-approved to be downloaded adding extra security to your network.

If you need assistance with conducting an IT audit, crafting an IT plan or WISP, or implementing your plan, contact Oram Corporate Advisors today at (617) 933-5060. You can also reach out to us online. Our professionals are always here to support your business with superior IT and IT services.

Password managers: What you need to know about generating and securing passwords that work

by

By Ryan O’Ramsay Barrett

Being in IT, we hear about it all of the time. A client calls us in distress because they used the same password on multiple websites, social media platforms, and their email and now they’ve been hacked. The bad guys have access to several of their digital platforms, if not all of them, and things are a mess. The worst part is, the entire scenario could have been easily avoided.

One of the simplest and most commonly recommended cybersecurity practices promoted by experts to prevent problems like the one above is for people to use a password manager. Some are free and others cost a small annual fee but all of them are highly recommended over not using one at all.

What is a Password Manager?
A password manager is a type of software that assists in generating and retrieving complex passwords with the goal of improving your cybersecurity. One of the greatest issues is that most people either use the same password on multiple accounts or their passwords as just too simple. Using the same password for multiple sites can increase the risk that you will be hacked or that your business will experience a data breach. Overly simple passwords also make people more susceptible to being victimized by cyber criminals who would love to get their hands into our bank accounts, business data, and personally identifiable information (PII).

Consider a password manager as a vault of sorts, able to store multiple passwords in an encrypted database or produce them on demand. This means you don’t have to reuse the same password for various accounts, memorize them yourself, or write them down.

Regardless of how many passwords you have or how complex they may be, a password manager can keep track of them for you. Additionally, when you need a stronger password for a new account or to better secure an existing one, a password manager can generate a new, complex password for you.

Security Benefits
According to MyGlue, more than 60 percent of all data breaches are the result of weak or stolen passwords. By using more complex passwords that feature uppercase and lowercase letters, numerals, and special symbols, that are unique to each of your accounts, you are protecting vital online information from credit card numbers to the answers to your security questions. Not only is this important in your personal life but it is imperative to your business as well. Password managers help by generating unique, complex passwords that will not be easily guessed by bad actors.

Another sobering statistic is that more than 30 percent of employees keep track of passwords by writing them on Post-it Notes, according to MyGlue. This is not a secure or suggested form of storing passwords. With a password manager, you only have to remember a single master password to access your “vault” with all of your passwords in one place.

Business efficiency is also improved with the use of a solid password manager because employees won’t have to waste time resetting passwords or searching for that sticky note that disappeared. There will also be a reduction in requests to IT for password resets.

Password managers can also simplify shopping. Payment information can be stored in your password manager so that it’s all at your fingertips when you are ready to shop online.

Risks of Password Managers
I know what you’re thinking. If a hacker gets access to your master password, that would allow them access to all of your accounts. Bad actors have also been known to breach the central vault of password managers. The good news is that there are defenses available to address both of these concerns.

First, any password manager worth its weight is going to employ multifactor authentication. This means that when you, or someone else, attempts to access your “vault” of passwords, you will be sent a text or email with an authentication code to log in. If someone were to steal your master code, you would find out via a text message or email. No one can access your credentials without having both the correct password and the right authentication code. This gives you time to change your master password and notify your password manager should a problem arise.

Vendors usually protect master vaults as well by encrypting your password information locally. That information is encrypted and stored, on servers operated by the vendors who, in most cases, employ some of the best cybersecurity measures available. Some of the free password managers don’t offer the same higher level of security that paid password managers do. Be sure to do your research before signing up with a company or touch base with us at Oram so we can recommend one that works best for your needs.

The Cost of Better Security
There are a multitude of password managers available. Some offer free versions but when it comes to the security of your business, remember that you often get what you pay for. With that in mind, at Oram we recommend paying for a password manager as many don’t cost much.

Most password managers offer some sort of free trial period and range from $12 per year to upwards of $50 a month. The cost may depend on the number of devices or users the program is being employed for.

What Oram Recommends
There are so many password managers available that it can be hard to choose one. Some offer features such as photo login options (a form of multifactor authentication), phone support, and use across a wide variety of operating systems. The two that we recommend to our clients are MyGlue and LastPass.

We highly recommend MyGlue because it offers so many options for a low price. First, as a business owner, you will know who accesses what password and when. MyGlue is easy to use, functions well with multiple operating systems and allows you to share training material with your team for the program so no one is lost. Finally, you can avoid hackers by using strong passwords that are secure, keeping your business information such as the PII of employees and clients and your proprietary data safe. MyGlue also employs the highest security measures available.

If MyGlue doesn’t fit your needs, LastPass is the next best option. LastPass works on iOS, Android, Windows, Mac, and Linux operating systems. It offers a variety of subscription options from a single user to families, teams, and enterprises and all are quite affordable. With LastPass, you can simplify online shopping, store digital records, and share passwords and notes with others securely in addition to storing and generating passwords.

If you have lingering questions or concerns about the use of password managers, please call Oram today at (617) 933-5060 or visit us online. Our team is happy to help you select and engage a password manager that meets all of your business needs.