Creating a strong, complicated password is one of the simplest yet most effective ways to protect your online security.

In an era of increasingly sophisticated cyber threats, the significance of a robust password cannot be overemphasized. Recent statistics reveal a startling fact: weak passwords are responsible for 81% of hacking-related breaches, underscoring the critical need for more complex passwords.

So, how can you create one?

A complicated password is a blend of letters (uppercase and lowercase), numbers, and symbols, extending to at least 12 characters. The more random and longer the password, the harder for hackers to crack.

Here’s a step-by-step guide to creating a complicated password:

1. Start with Length: Aim for at least 12 characters. Longer passwords exponentially increase the time required to crack them.
   

2. Mix It Up: Use a combination of uppercase letters, lowercase letters, numbers, and symbols. This randomness adds an extra layer of security.
   

3. Avoid Predictability: Avoid obvious substitutions, like “pa$$word” or “1234abcd.” Hackers are well-versed in these common patterns.
   

4. Use Phrases: Consider stringing together random words or a phrase only you would know. This method, known as a passphrase, is easier to remember and harder to hack.
   

5. Employ a Password Manager: These tools generate and store complex passwords for you, ensuring each password is unique and robust.
   

6. Regular Updates: To fend off ongoing threats, change your passwords periodically, especially for sensitive accounts.

Remember, your password is the first defense against unauthorized access to your personal and financial information. Investing time in creating a strong password can save you from the potential havoc hackers can wreak on your digital life.

Embrace complexity and be proactive about your cybersecurity—if your password is convenient and easy to remember, it is not secure. The more inconvenient the password, the greater its value to your online security.

R

In today's digital age, where our lives are woven into the fabric of the internet, ensuring online security and privacy has become paramount. From banking transactions to social media interactions, much of our personal and sensitive information is transmitted over networks, making it susceptible to prying eyes and potential cyber threats. Amidst these concerns, the adoption of personal Virtual Private Networks (VPNs) has emerged as a potent solution.

How Does a VPN Help You?

A personal VPN serves as a secure tunnel for your internet connection, encrypting the data you send and receive, thus shielding it from eavesdroppers and hackers. Whether you're browsing from a coffee shop's Wi-Fi or accessing your bank account on public transport, a VPN adds an extra layer of protection, making it significantly harder for cybercriminals to intercept your sensitive information.

VPNs also safeguard your privacy by masking your IP address and anonymizing your online activities. This means that your browsing history and online behavior remain confidential, shielded from the prying eyes of internet service providers, advertisers, and other third parties seeking to track your digital footprint for targeted marketing or surveillance purposes.

Moreover, personal VPNs enable users to bypass geographic restrictions and censorship, granting access to region-locked content. Whether you're traveling abroad or wish to access streaming services unavailable in your region, a VPN allows you to circumvent these barriers, providing a seamless online experience without compromising your privacy or security.

Choose a VPN Provider Wisely

However, while personal VPNs offer numerous benefits, it's essential to choose a reputable provider that prioritizes user privacy. Don’t fall for gimmicks. We recommend Express VPN.

But Do You Really Need One?

VPN’s add another layer of complexity and network overhead, eating your bandwidth. There was a time when nearly everything on the Internet wasn’t encrypted, and VPNs were necessary, but this isn’t the case today. In modern computing, nearly everything you do online is encrypted. There’s an argument to be made: if you don’t have a need to access region-blocked content, and if your use case doesn’t involve a lot of risk (you’re not browsing questionable sites or downloading files), why spend the money?

Like everything in IT security, VPNs offer another layer of safeguards but aren’t a magic pill. They don’t solve all problems and aren't necessary in most cases—just another expense that adds a diminishing return on value.

What’s my Advice?

Just reach out. I can help answer this kind of question for you. Thanks for reading.

R

2021 offered an unprecedented number of challenges to small business information systems.

I wanted to take a few minutes to talk about the overall strategies that I’ll be using to protect my clients in the coming year.

Defense in Depth

There’s no such thing as a magic pill. Not one product, not one solution, not one strategy that can safeguard IT assets 100% of the time; anyone who tries to convince you otherwise is trying to sell one. And if you believe that sales pitch, you’re already falling into a trap of the mind; you’re already making too many assumptions and assumptions won’t keep you safe.

Instead, it is more rational to perceive risk in terms of layers of control.

Here are some examples:

• one layer controls the physical access to a network;

• another controls the wireless access to a network;

• another controls the remote access to a network;

• another layer authenticates who you are to that network;

• another defines what software you do or do not have access to.

Five layers, five controls.

Over time, we can measure and test our controls to prove that they work, and we can say - with some degree of certainty - that our systems are secure.

Security, after all, is just a feeling: it is the confidence that we have in our safeguards. If you’re not already managing your IT in layers, how can you have any confidence that your systems are secure? Well, you can’t - you’re just making assumptions - and assumptions do not equal confidence.

Cloud Computing

Most small businesses do not have computer and network expertise on-staff. And aside from the talent problem, managing IT assets and information systems is extraordinarily risky and costly. So unless computer expertise is a core-competency, why do it?

It is far better for small businesses to outsource that risk and push it onto the backs of vendors who can operate at a better economy of scale and can manage IT better than them.

Somebody like Google can manage your email more cost-effectively than you can, and they have an army of professionals safeguarding your data. So why not let Google handle your email instead of running your own email server? The same could be said for applications, files, phone calls, databases, and device management.

In doing so, small businesses transform IT into an always-on utility - a system like electricity and water - allowing for the most reliable, cost-effective access, using any device, anywhere.

You don’t keep an electrician on-hand to deal with electrical problems, right? And you don’t keep a plumber on your payroll to handle the plumbing problems and run more water into your building. The same should be for your IT. Outsource the risk; transform IT into a utility.

In 2022, I’ll continue to push my small business clients to abandon running their own on-prem servers and devices, and to leverage cloud computing to the greatest extent possible.

Identity and Access Control

One of the biggest challenges we have in IT today is this concept around stealing somebody’s identity to gain access to a confidential system. This is primarily done with phishing attacks. A bad actor sends your team an email that looks legitimate. They click on a link and are brought to a website that looks and feels legitimate, but is really set up by the bad guys to capture their username and password to a secure system.

It’s a huge problem and employee training isn’t enough. The bad guys get more sophisticated every day. We need technical controls that adapt - using machine learning (ML) and artificial intelligence (AI) - to spot the phishing attack and prevent the user from evening seeing it. Google’s Gmail uses these tools to constantly screen attacks from aggressors intending to steal ident information from your employees.

Combined with good password management policies, multi-factor authentication, and admin alerts controlling end-user access, adaptive ML/AI promises to reduce these effects significantly. In 2022, in my role as a Google Partner, I’ll be continuing to help my clients get the greatest benefit from their cloud platform investment by securing their identity.

Endpoint and Mobile Device Management

Another vector of attack against your systems is through exploiting the human propensity to procrastinate and ignore risk.

A good example are computer security updates. Many users will deliberately tell their computers to not apply updates, or, won’t restart their machines after receiving updates. This prevents the system from receiving necessary software updates to help protect them, and over time, the lack of patches creates huge holes that aggressors can drive a truck through.

Endpoint Management (EPM) uses software to regulate the compliance of managed computers so that they’re always receiving their security patches. EPM also takes care of things like viruses, malware, and intrusion detection. It provides a set of tools to remotely manage assets to bring them back into compliance and safe to use.

Mobile Device Management (MDM) uses similar controls to verify that the devices approved to remotely (like mobile phones, tablets, and laptops) access company information are controlled.

Used in conjunction with each other, MDM and EPM alert administrators to take action if a machine continuously falls outside of the range of acceptable patching, suffers from malware or an attack, prevents unauthorized, lost, or stolen devices from accessing secure information, and provides dashboard-level pictures of the overall security posture of a company. It’s the best, most cost-effective way to prevent loss … rather than reacting to loss.

In 2022, I’ll be attempting to convince most of my clients to join my endpoint management program and implement MDM to best control their systems.

Managed Browsers

Increasingly, phishing attacks come not just from email but from what are referred to as browser hijacks. Websites and software will redirect the user’s browsing activities to websites that attempt to steal ident credentials or Personal Private Information (PPI). Hijacks threaten not only the user but any confidential information that may exist on their computers.

These risks demand that an IT control be extended to Internet browsers. Managed browsers are browsers that exist on any device anywhere but they receive a central set of policies. These policies dictate how the browser can be used, when it can be used, what sites and software are okay to use - and which ones aren’t - and prevents the user from accessing known-bad websites that could harm them.

In my role as a Google Partner, in 2022, I’m going to help a majority of my clients by deploying managed browsing policies governed by their Google Workspace investment to help keep their teams safe while using the Internet.

Perimeter Control

There are logical software components to every network. These components control the logical flow of information. You’re probably familiar with these devices by their names of routers, switches, bridges, and gateways. Most are simple computing appliances without a high degree of security built-in to them.

These devices do their work day in and day out and most of the time, you don’t have to even think about them. However, over time, their firmware needs to be updated; for the same reason we patch computers, we must also patch these devices. Aggressors realize that this equipment often goes unnoticed and unsecured because it’s not something most people are thinking about.

Well, I’m thinking about it. In 2022, I’ll be helping my clients identify their network’s perimeter infrastructure, either patching or replacing suspect equipment, and implementing tighter security controls over them.

Training

All the ML/AI in the world can’t beat human instinct or well-trained human behaviors. Technical controls to help secure the workplace are great but real security - real confidence - begins and ends with training people.

Your team must be brought up to speed about the most recent threats and concerns, and given tools to help them navigate the risk.

Sometimes, the best training simply interrupts an emotional response to a problem … to get somebody to just question clicking on a link so they can ask for more advice is an interrupt that a hacker can never thwart. The most skilled hacker can rarely beat an attentive, trained human! They’re counting on the human to not be paying attention, to not be trained.

Therefore, technical controls aren’t enough. This next year, I’ll be pushing training to help teach and inspire others to take these threats seriously. Further, responding to these problems by dealing with them in-depth, through implementing layers of controls, through shifting more and more risk to cloud providers, by implementing strong controls over identity and Internet browsing, and through inspecting the perimeters of our networks, will help instill a stronger sense of security for my clients next year.

R