How to Make All Your Accounts Safer With Two-Factor Authentication (2FA)

Nowadays, account security is a major concern for companies and their employees.

It can pose a major threat to your employer if you’re hacked — if someone hacks your Gmail account, for instance, he will have access to company contacts, as well as your calendar, Google Docs, Google Sheets, and other private company information.

Improve your website with effective technical SEO. Start by conducting this audit. 

For this reason, Duo Mobile and other two-factor authentication apps have risen in popularity.

Two-factor authentication (or 2FA) is a safety process you can enable on any of your devices, including your iPhone, Mac, Gmail account, or social media accounts like Facebook.

Here, we’re going to tell you what two-factor authentication is, and how you can enable (or disable) it on any of your accounts, to ensure your information is protected.

What is two-factor authentication?

To understand what two-factor authentication is, let’s start with an analogy.

Imagine you live in a dangerous neighborhood, and you only have one lock on your door. Alternatively, your neighbor down the street has a top and bottom lock, and each lock requires a separate key — which means, to break into his apartment, you need to break into two locks, not just one.

Who’s safer?

Ultimately, two-factor authentication is your neighbor’s top and bottom lock — but for your online accounts. It significantly decreases the risk of getting hacked by combining two methods of protection.

Two-factor authentication uses two methods to ensure you’re the correct user. It combines something you know (i.e. a password), with something you have (i.e. a mobile phone), or something you are (i.e. facial recognition).

For instance, to access my online school account, I need to open the Duo Mobile app on my phone, and input my school account’s password — while a hacker might be able to guess my password, he’s going to have a tougher time hacking into my phone, as well.

How to Turn Off Two-Factor Authentication

It’s relatively easy to turn off two-factor authentication on any of your accounts.

On Facebook, for instance, simply go to “Settings” and then “Security and Login”. Find “Use two-factor authentication”, click “Edit”, and then switch to “Off”.

how to turn off two factor authentification

Alternatively, on Gmail, you’ll want to go to http://myaccount.google.com. Then, select “Security”. Under the “Signing in to Google” section, you’ll see “2-Step Verification”. Click this section.

two step verification to make your accounts safer Next, select “Turn Off” to disable 2-Step Verification for your Gmail account.

two step verification example

It’s important to note, Apple removed the option to turn off two-factor authentication for Apple IDs created in iOS 10.3 or macOS 10.12.4 and later.

However, you have a two-week period during which you can still disable the function. Simply open your iCloud email account and find the enrollment confirmation email, then click the link to return to your previous security settings.

Editor’s note: This post was originally published in March, 2019 and has been updated for comprehensiveness.

Improve your website with effective technical SEO. Start by conducting this audit.  

Originally published Aug 21, 2020 7:00:00 AM, updated August 21 2020

Topics:

Cyber Security

What Is Phishing and How Can You Protect Your Business From an Attack?

Staff at MacEwan University, a school in Edmonton, Canada, received an email from a major vendor stating they had recently changed their electronic banking information and needed payments to be sent to a new account.

Assuming their trusted business partner was just going through some changes, the university complied and transferred three payments to the new bank account within a span of 10 days.

But four days later, MacEwan University received a phone call from this same vendor asking them why they hadn’t paid their fees yet. Perplexed by the call, the university told them they had just transferred the payments to their new bank account.

The vendor had no idea what they were talking about.

Unfortunately, this bank account didn’t actually belong to MacEwan’s vendor. It belonged to cyber criminals in Canada and Hong Kong. And MacEwan University had just transferred them $11.8 million.

Eventually, the university discovered the email requesting them to transfer their payments to the new bank account was actually fraudulent and a prevalent form of cyber attack that thousands of businesses fall victim to every year — phishing.

Improve your website with effective technical SEO. Start by conducting this audit. 

Examples of these credentials include passwords, credit card details, bank login information, and social security numbers.

Most cyber criminals deploy phishing attacks through email, like the picture below, but some have also started to exploit social media, messaging apps, and text message to steal people’s personal information.

Phishing instances have rose in number over recent years — in fact, there were over over 60,000 phishing sites reported in March of 2020 alone. This cybercrime could wreak havoc on your brand and bottom line.

So how do you defend your customers and employees from phishing without making them your brand’s first line of defense?

Here are three shields you can leverage to protect your brand from these prevalent attacks.

How to Protect Your Business From Phishing Attacks

1. Build a DMARC record.

DMARC (Domain-based Message Authentication Reporting and Conformance) is a cutting-edge email authentication protocol that leverages two other authentication protocols, SPF (Sender Policy Framework), and DKIM (DomainKeys Identified Mail) to verify legitimate messages sent from your domain and block fraudulent emails that appear to be sent from your domain.

These email authentication protocols are rather technical, so in a nutshell, SPF is a record of IP addresses that are authorized to send emails on your behalf that email service providers check against, and DKIM is a verification process that leverages cryptographic authentication.

DMARC is the only technology that can ensure your “header from” address (what your users usually look at first when they see your emails) is trustworthy.

To do this, they’ll only authenticate email messages that pass SPF authentication and SPF alignment or DKIM authentication and alignment. If an email message fails SPF authentication or alignment and DKIM authentication or alignment, it’ll fail DMARC.

how dmarc works when protecting against phishing

Source

DMARC also allows you to tell email service providers what they should do with any fraudulent mail that appears to be sent from your domain. You can either monitor all of your emails, move unauthenticated messages to users’ spam folders, or decide not to deliver this type of mail at all to inboxes on your server.

Additionally, email service providers will regularly send you forensic DMARC reports, showing you which emails are authenticating, which ones are not, and why.

2. Train customers and employees to spot an attack.

According to PhishMe, a phishing defense solution, companies who train employees to identify and report attempted phishing attacks only have a 5% susceptibility rate to phishing.

To help employees and customers spot one of these attacks and better defend your business, teach them these common phishing markers:

Poor Spelling, Grammar, or Writing

A lot of amateur cyber criminals don’t take the time to craft clear and convincing emails, which brands always seem to do, and foreign cyber criminals will usually rely on Google Translate to translate their messages. So if you receive a poorly written email from a seemingly legitimate sender, take caution.

Suspicious URLs

Most phishing emails lure people into clicking through to a malicious or fake website. To do this, cyber criminals will usually spoof the website’s URL by creating a lookalike one, or they’ll mask their dodgy URL by shortening it.

Whenever you see a weird or shortened URL, make sure you hover your mouse over it to see if the landing page’s web address is different or fake.

Mismatched Sender Address

Even if a cyber criminal can perfectly imitate your brand’s voice, formatting, logo, address, and contact email address in their phishing email, there’s still a trait of yours they can’t copy — your sender address.

Cyber criminals will usually create a lookalike sender address or just use a string of characters in hopes that you won’t check it. To verify a brand’s sender address, check out the sender’s domain in the email’s “from” header and see if it matches the brand’s domain.

3. Invest in email security software.

If your company has the funds, email security software like Proofpoint and Barracuda are the most reliable and effective lines of defense against phishing.

Well-versed employees can still fall victim to cleverly-crafted phishing emails and cyber criminals constantly refine their malicious tactics, like sending phishing emails from the legitimate domains of compromised websites.

But since email security software can identify unusual traffic patterns and monitor fishy URLs, it can effectively detect, block, and respond to these sophisticated threats before they reach your customers and employees’ inbox.

Avoid Getting Snagged

Arm yourself with DMARC, thorough employee training, and the best-fit email security software for your specific systems and situation, to shield your customers, employees, and brand from phishing attacks — no matter how enticing the bait is.

Editor’s note: This post was originally published in December, 2018 and has been updated for comprehensiveness.

Improve your website with effective technical SEO. Start by conducting this audit.  

Originally published Aug 21, 2020 6:00:00 AM, updated August 21 2020

Topics:

Cyber Security

The Ultimate Guide to Cybersecurity

If asked you to list the most valuable things you own, how would you answer? I guess this would be another way of asking the infamous “What would you grab if your house was on fire?” question.

For me, I’d grab an old keepsake box filled with things from my childhood, my engagement ring, my phone and computer (for pictures and writings!), and an old Iowa sweatshirt of my dad’s.

But I’d also have to say that my identity, social security number, credit cards, and bank accounts are valuable to me.

Unlock tips, systems & recommended resources to stay ahead of the tech curve.

While these things can’t exactly burn down in a fire, they can be stolen … and if I were to ask a computer hacker what they thought my most valuable possessions were, they’d probably quote the intangible.

That’s why we’ve compiled this guide on cybersecurity. Below, we’ll talk about why you should care about cybersecurity, how to secure your and your customer’s digital data, and what resources to follow to stay up-to-date with emerging tech.

Personal data is incredibly valuable. Hackers know it, and businesses know it. That’s why both go to great lengths to collect it — albeit one following a much more legal and moral avenue to do so.

Unfortunately, as technology and data collection practices progress, so do the methods that hackers follow to steal data. As business owners, we have a special responsibility to protect our customers’ data and be transparent with our practices.

Why You Should Care About Cybersecurity

In the first half of 2019, data breaches exposed over 4 billion records. Moreover, a recent study found that hackers attack every 39 seconds — that adds up to, on average, 2,244 attacks per day.

Small to medium-sized businesses (SMBs) are especially at risk. You might see corporations like Target and Sears topping the headlines as top data breach victims, but it’s actually SMBs that hackers prefer to target.

Why? They have more — and more valuable — digital assets than your average consumer but less security than a larger enterprise-level company … placing them right in a “hackers’ cybersecurity sweet spot.”

Security breaches are frustrating and frightening for both businesses and consumers. Studies show that, after a company data breach, many consumers take a break from shopping at that business — and some consumers quit altogether.

But cybersecurity is about more than just avoiding a PR nightmare. Investing in cybersecurity builds trust with your customers. It encourages transparency and reduces friction as customers become advocates for your brand.

“Everyone has a role in helping to protect customers’ data. Here at HubSpot, every employee is empowered to solve for customer needs in a safe and secure way. We want to harness everyone’s energy to provide a platform that customers trust to correctly and safely store their data.” — Chris McLellan, HubSpot Chief Security Officer

Keep your business ahead of the tech curve with the tips, systems & recommended resources in our guide to staying current on emerging tech.

Cybersecurity Terms to Know

Cybersecurity is a very intimidating topic, not unlike cryptocurrency and artificial intelligence. It can be hard to understand, and, frankly, it sounds kind of ominous and complicated.

But fear not. We’re here to break this topic down into digestible pieces that you can rebuild into your own cybersecurity strategy. Bookmark this post to keep this handy glossary at your fingertips.

Here’s a comprehensive list of general cybersecurity terms you should know.

Authentication

Authentication is the process of verifying who you are. Your passwords authenticate that you really are the person who should have the corresponding username. When you show your ID (e.g., driver’s license, etc), the fact that your picture generally looks like you is a way of authenticating that the name, age, and address on the ID belong to you. Many organizations use two-factor authentication, which we cover later.

Backup

A backup refers to the process of transferring important data to a secure location like a cloud storage system or an external hard drive. Backups let you recover your systems to a healthy state in case of a cyber attack or system crash.

Data Breach

A data breach refers to the moment a hacker gains unauthorized entry or access to a company’s or an individual’s data.

Digital Certificate

A digital certificate, also known as an identity certificate or public key certificate, is a type of passcode used to securely exchange data over the internet. It’s essentially a digital file embedded in a device or piece of hardware that provides authentication when it sends and receives data to and from another device or server.

Encryption

Encryption is the practice of using codes and ciphers to encrypt data. When data is encrypted, a computer uses a key to turn the data into unintelligible gibberish. Only a recipient with the correct key is able to decrypt the data. If an attacker gets access to strongly encrypted data but doesn’t have the key, they aren’t able to see the unencrypted version.

HTTP and HTTPS

Hypertext Transfer Protocol (HTTP) is how web browsers communicate. You’ll probably see an http:// or https:// in front of the websites you visit. HTTP and HTTPS are the same, except HTTPS encrypts all data sent between you and the web server — hence the “S” for security. Today, nearly all websites use HTTPS to improve the privacy of your data.

Vulnerability

A vulnerability is a place of weakness that a hacker might exploit when launching a cyber attack. Vulnerabilities might be software bugs that need to be patched, or a password reset process that can be triggered by unauthorized people. Defensive cybersecurity measures (like the ones we talk about later) help ensure data is protected by putting layers of protections between attackers and the things they’re trying to do or access.

A cyber attack is a deliberate and typically malicious intent to capture, modify, or erase private data. Cyber attacks are committed by external security hackers and, sometimes, unintentionally by compromised users or employees. These cyber attacks are committed for a variety of reasons. The majority are looking for ransom, while some are simply launched for fun.

Here are the four most common cyber threats.

1. Password Guessing (Brute Force) Attack

A password guessing (or “credential stuffing”) attack is when an attacker continually attempts to guess usernames and passwords. This attack will often use known username and password combinations from past data breaches. An attacker is successful when people use weak passwords or use the password between different systems (e.g., when your Facebook and Twitter password are the same, etc). Your best defense against this kind of attack is using strong passwords and avoiding using the same password in multiple places as well as using two factor authentication, as we talk about later.)

2. Distributed Denial of Service (DDoS) Attack

A distributed denial of service (DDoS) attack is when a hacker floods a network or system with a ton of activity (such as messages, requests, or web traffic) in order to paralyze it. This is typically done using botnets, which are groups of internet-connected devices (e.g., laptops, light bulbs, game consoles, servers, etc) infected by viruses that allow a hacker to harness them into performing many kinds of attacks.

3. Malware Attack

Malware refers to all types of malicious software used by hackers to infiltrate computers and networks and collect susceptible private data. Types of malware include:

  • Keyloggers, which track everything a person types on their keyboard. Keyloggers are usually used to capture passwords and other private information, such as social security numbers.
  • Ransomware, which encrypts data and holds it hostage, forcing users to pay a ransom in order to unlock and regain access to their data.
  • Spyware, which monitors and “spies” on user activity on behalf of a hacker.

Furthermore, malware can be delivered via:

  • Trojan horses, which infect computers through a seemingly benign entry point, often disguised as a legitimate application or other piece of software.
  • Viruses, which corrupt, erase, modify, or capture data and, at times, physically damage computers. Viruses can spread from computer to computer, including when they are unintentionally installed by compromised users.
  • Worms, which are designed to self-replicate and autonomously spread through all connected computers that are susceptible to the same vulnerabilities. .

4. Phishing Attack

A phishing attack is when hackers try to trick people into doing something. Phishing scams can be delivered through a seemingly legitimate download, link, or message. It’s a very common type of cyber attack — over 75% of organizations fell victim to phishing in 2018. Phishing is typically done over email or through a fake website; it’s also known as spoofing. Additionally, spear phishing refers to when a hacker focuses on attacking a particular person or company, instead of creating more general-purpose spams.

Cybersecurity Best Practices: How to Secure Your Data

Cybersecurity can’t be boiled down into a 1-2-3-step process. Securing your data involves a mix of best practices and defensive cybersecurity techniques. Dedicating time and resources to both is the best way to secure your — and your customers’ — data.

Defensive Cybersecurity Solutions

All businesses should invest in preventative cybersecurity solutions. Implementing these systems and adopting good cybersecurity habits (which we discuss next) will protect your network and computers from outside threats.

Here’s a list of six defensive cybersecurity systems and software options that can prevent cyber attacks — and the inevitable headache that follows. Consider combining these solutions to cover all your digital bases.

Antivirus Software

Antivirus software is the digital equivalent of taking that vitamin C boost during flu season. It’s a preventative measure that monitors for bugs. The job of antivirus software is to detect viruses on your computer and remove them, much like vitamin C does when bad things enter your immune system. (Spoken like a true medical professional …) Antivirus software also alerts you to potentially unsafe web pages and software.

Learn more: McAfee, Norton. or Panda (for free)

Firewall

A firewall is a digital wall that keeps malicious users and software out of your computer. It uses a filter that assesses the safety and legitimacy of everything that wants to enter your computer; it’s like an invisible judge that sits between you and the internet. Firewalls are both software and hardware-based.

Learn more: McAfee LiveSafe or Kaspersky Internet Security

Single Sign-On (SSO)

Single sign-on (SSO) is a centralized authentication service through which one login is used to access an entire platform of accounts and software. If you’ve ever used your Google account to sign up or into an account, you’ve used SSO. Enterprises and corporations use SSO to allow employees access to internal applications that contain proprietary data.

Learn more: Okta or LastPass

Two-Factor Authentication (2FA)

Two-factor authentication (2FA) is a login process that requires a username or pin number and access to an external device or account, such as an email address, phone number, or security software. 2FA requires users to confirm their identity through both and, because of that, is far more secure than single factor authentication.

Learn more: Duo

Virtual Private Network (VPN)

A virtual private network (VPN) creates a “tunnel” through which your data travels when entering and exiting a web server. That tunnel encrypts and protects your data so that it can’t be read (or spied on) by hackers or malicious software. While a VPN protects against spyware, it can’t prevent viruses from entering your computer through seemingly legitimate channels, like phishing or even a fake VPN link. Because of this, VPNs should be combined with other defensive cybersecurity measures in order to protect your data.

Learn more: Cisco’s AnyConnect or Palo Alto Networks’ GlobalProtect

Cybersecurity Tips for Business

Defensive cybersecurity solutions won’t work unless you do. To ensure your business and customer data is protected, adopt these good cybersecurity habits across your organization.

Require strong credentials.

Require both your employees and users (if applicable) to create strong passwords. This can be done by implementing a character minimum as well as requiring a mix of upper and lowercase letters, numbers, and symbols. More complicated passwords are harder to guess by both individuals and bots. Also, require that passwords be changed regularly.

guide to cybersecurity require strong credentials

Control and monitor employee activity.

Within your business, only give access to important data to authorized employees who need it for their job. Prohibit data from sharing outside the organization, require permission for external software downloads, and encourage employees to lock their computers and accounts whenever not in use.

Know your network.

With the rise of the Internet of Things, IoT devices are popping up on company networks like crazy. These devices, which are not under company management, can introduce risk as they’re often unsecured and run vulnerable software that can be exploited by hackers and provide a direct pathway into an internal network.

“Make sure you have visibility into all the IoT devices on your network. Everything on your corporate network should be identified, properly categorized, and controlled. By knowing what devices are on your network, controlling how they connect to it, and monitoring them for suspicious activities, you’ll drastically reduce the landscape attackers are playing on.” — Nick Duda, Principal Security Officer at HubSpot

Read about how HubSpot gains device visibility and automates security management in this case study compiled by security software ForeScout.

Download patches and updates regularly.

Software vendors regularly release updates that address and fix vulnerabilities. Keep your software safe by updating it on a consistent basis. Consider configuring your software to update automatically so you never forget.

Make it easy for employees to escalate issues.

If your employee comes across a phishing email or compromised web page, you want to know immediately. Set up a system for receiving these issues from employees by dedicating an inbox to these notifications or creating a form that people can fill out.

Cybersecurity Tips for Individuals

Cyber threats can affect you as an individual consumer and internet user, too. Adopt these good habits to protect your personal data and avoid cyber attacks.

Mix up your passwords.

Using the same password for all your important accounts is the digital equivalent of leaving a spare key under your front doormat. A recent study found that over 80% of data breaches were a result of weak or stolen passwords. Even if a business or software account doesn’t require a strong password, always choose one that has a mix of letters, numbers, and symbols and change it regularly.

Monitor your bank accounts and credit frequently.

Review your statements, credit reports, and other critical data on a regular basis and report any suspicious activity. Additionally, only release your social security number when absolutely necessary.

Be intentional online.

Keep an eye out for phishing emails or illegitimate downloads. If a link or website looks fishy (ha — get it?), it probably is. Look for bad spelling and grammar, suspicious URLs, and mismatched email addresses. Lastly, download antivirus and security software to alert you of potential and known malware sources.

Back up your data regularly.

This habit is good for businesses and individuals to master — data can be compromised for both parties. Consider backups on both cloud and physical locations, such as a hard drive or thumb drive.

Cybersecurity Resources

To learn more about cybersecurity and how to better equip your business and team, tap into the resources below. Check out some of the most popular cybersecurity podcasts and cybersecurity blogs, too.

National Institute of Standards and Technology (NIST)

NIST is a government agency that promotes excellence in science and industry. It also contains a Cybersecurity department and routinely publishes guides that standards.

Bookmark: The Computer Security Resource Center (CSRC) for security best practices, called NIST Special Publications (SPs).

The Center for Internet Security (CIS)

CIS is a global, non-profit security resource and IT community used and trusted by experts in the field.

Bookmark: The CIS Top 20 Critical Security Controls, which is a prioritized set of best practices created to stop the most pervasive and dangerous threats of today. It was developed by leading security experts from around the world and is refined and validated every year.

Cybrary

Cybrary is an online cybersecurity education resource. It offers mostly free, full-length educational videos, certifications, and more for all kinds of cybersecurity topics and specializations.

Signing Off … Securely

Cyber attacks may be intimidating, but cybersecurity as a topic doesn’t have to be. It’s imperative to be prepared and armed, especially if you’re handling others’ data. Businesses should dedicate time and resources to protecting their computers, servers, networks, and software and should stay up-to-date with emerging tech. Handling data with care only makes your business more trustworthy and transparent — and your customers more loyal.

Note: Any legal information in this content is not the same as legal advice, where an attorney applies the law to your specific circumstances, so we insist that you consult an attorney if you’d like advice on your interpretation of this information or its accuracy. In a nutshell, you may not rely on this as legal advice or as a recommendation of any particular legal understanding.

Editor’s note: This post was originally published in February 2019 and has been updated for comprehensiveness.

Stay Current on Emerging Tech

Originally published Aug 19, 2020 7:30:00 AM, updated August 19 2020

Topics:

Cyber Security