As a consultant, I work on many, many different computers throughout the year. Though the machines are used in a wide variety of industries and organizations, I still see a large majority of them suffering from the same handful of issues. In the hopes of lowering those numbers in 2015, here are the six most common, self-inflicted issues I’ve seen on client computers this year:
- Fake Flash/Media Player Installs – By far, this was the most common mistake I see most computer users make, and it’s easy to understand why. Though you can sometimes encounter fake Flash Player pop-ups while surfing well-known sites (especially if they’ve been hacked as well), you’ll usually come across these fake notifications while surfing in the “darker” corners of the internet, especially if you clicked a link in an email or Facebook post.
If you see a pop-up like this, stop and immediately go to: http://www.adobe.com/software/flash/about/. (If you are paying attention, your hovering over that link to see if it’s legit!) That page will tell you whether or not your Flash player is working, and what version is installed. Right below is a handy list of the latest version number. If the two numbers match, then you already have the latest version of Flash Player. Congratulations, you avoided a possible malware incursion! If you see a similar pop-up for some media player you’ve never heard of, stop and investigate. First off, do you really need to see whatever it is that requires another piece of unknown software to be installed? When in doubt, check with an IT professional!
- McAfee Security Scan Plus – When you update Adobe Flash through the official website, the main installation page will also offer to install McAfee’s Security Scan Plus by default. According to McAfee, this software will supposedly protect computers from malware infections, but I’ve yet to see this software be effective, primarily because it’s usually installed unintentionally and in addition to already-installed, more competent anti-malware. You’ll want to uncheck the box in the middle pane to prevent Security Scan Plus from being installed alongside your Adobe Flash Player update.
But what if I don’t have any antimalware already installed? Will this protect me? The old adage “something is better than nothing” does not apply here. Security Scan Plus is almost universally reviled in the tech support industry. There are much better, free programs that are more effective. If you on Windows 7, try Microsoft’s Security Essentials. Windows 8 already comes with Microsoft’s Windows Defender pre-installed (the Win 8 version of Security Essentials). If you are still running Windows XP, Security Essentials will work until July 2015, and then you will have to find another program.
- Ask Search Toolbar – Given the number of times Java updates throughout the year, it’s not surprising how frequently I find Ask’s search toolbar installed on client computers. To be fair, it’s not malware in the strictest sense: the product does exactly what you’d expect it to do, if you actually intended to install and use it. Ninety-nine percent of my clients never intended to install it, and are puzzled why their search results are no longer provided by Google or (less commonly) Bing or Yahoo. It will get installed whenever you update Java and fail to uncheck the option (just like #1 above).
This toolbar is another PUA (potentially unwanted app) that is widely disliked by the IT support community, primarily because of it’s questionable distribution tactics, poor search engine performance, and the additional performance burden it puts on Internet Explorer as a toolbar.
- Automatic Software/Driver Updaters – there isn’t one particular application in this category that can be called out, primarily because there are dozens of these shyster websites. At best they are a nuisance, and at worst they could lead to a serious malware infection. They are typically installed from pop-ups clients see while surfing the web, and most trick the user into installing their program by misleading them to believe an important driver or application is missing or out of date.
Once installed, the program rarely does what it’s supposed to, and frequently will ask for money to actually do the updates which, after paying for a subscription, it still won’t do anything, or if it does anything at all, it will install even more outdated drivers and possibly other malware. Avoid this software like the plague – you don’t need it. Windows and OS X both automatically scan for updates (if they are set up properly) for all necessary drivers and will either install them silently, or ask you to update ASAP.
- Fake Antivirus Warnings – This one used to be in the top spot in 2013, but many folks are a bit more savvy this year and have since installed legitimate anti-malware after being duped previously. Unfortunately, the black hats are taking that into account and are now using even more convincing pop-ups that look like commonly installed anti-malware. Unless your computer is already compromised, you’ll typically only see fake virus pop-ups while surfing the web, which should be one of the clues that helps determine if they are fake.
The only way to avoid falling for this scam again is to know what your anti-malware looks like, especially the warnings. Nearly all of them will pop up a warning in your system tray – so if you only see the warning while web surfing and nothing in the system tray, it was likely just a fake pop-up. If you happened to panic when warning popped up and clicked the “clean/disinfect/scan” button, the next clue will be if the software asks to install something on your computer. Your anti-malware is already installed – it shouldn’t need to install itself again – so this is another clue that you are about to be duped into installing some malware.
- PC Performance Boosters/Optimizers – With very few exceptions, most of the software that appears in pop-ups that promises to improve your PC performance will in fact do the exact opposite. The most common snake oil I come across is the various registry “optimizers”. Though some of them may actually do some form of registry cleaning, most of them only excel at optimizing the flow of cash from your wallet to their pockets. If you get a pop-up while browsing the web warning your computer needs optimization, stop visiting that website immediately, and to be completely safe, immediately run an anti-malware scan.
The only cleaner that I trust to recommend to my clients is CCleaner from Piriform. I use this software regularly, and it is straightforward enough that even my most technically-challenged clients can use it with minimal assistance.
The above six gotchas, while common, are only a small subset of the wide variety of hijinks I come across while assisting my clients. It would take way more time and patience than anyone has to completely brief you on today’s malware threats. As always, you can avoid most self-inflicted issues by paying close attention to what is being shown on screen. Most of the time there are clues that will reveal the shadiness of unusual activity on your computer, and for the times when you are in a rush or don’t understand what you are seeing, stop what you are doing, close all programs, run an anti-malware scan, and, as always, call an IT professional for a second opinion!
Image courtesy of Stuart Miles / FreeDigitalPhotos.net
Lest you think Microsoft has finally plugged the many holes in the S.S. Internet Explorer, Patch Tuesday December includes four critical upates (Microsoft’s “critical” rating means they should be applied immediately) addressing newly discovered weaknesses, including an active zero-day exploit of the OLE (Object Linking & Embedding) platform. This particular chunk of code allows Microsoft apps like Office Word and Outlook to exchange documents between each other: when you insert an Excel spreadsheet into a Word document and it shows up as an editable spreadsheet, that’s OLE at work. In this case, the exploit allows hacked Office documents attached in Outlook emails to circumvent security, typically for the express purpose of installing other malware onto the victim’s machine.
What this means for you:
I can already see your eyes glazing over, and I don’t blame you. Microsoft’s bulletins are making me cross-eyed as well. Here’s what you need to do:
- Make sure your OS is patched. The updates should start arriving on computers as early as tonight. Unless your machine is being managed by an internal IT department and they’ve disabled this functionality, your Windows OS should be set to automatically download and patch all important updates from Microsoft. If you are not sure if your computer is set up this way, you can check by going to Control Panels -> Windows Update.
- If you must use Internet Explorer, avoid using it until you get fully updated with the latest round of patches (see #1). If it’s possible, consider using an alternative such as Firefox or Chrome. While neither is guaranteed free of security bugs, they are still faring better than IE in terms of exploits.
As always, avoid opening strange and/or unexpected attachments. If you regularly exchange documents with others via the internet, consider using a secure filesharing platform other than Dropbox or Drop or any of the numerous clones that offer free apps. Instead, look into options like Citrix Fileshare (we use it here at C2) for a much more secure and fully encrypted way to exchange documents.
A client recently asked me, “What’s the difference between ‘malware’ and a ‘virus’? Is ‘spyware’ still a thing? Are these pop-ups a virus, or something else? Was I hacked?!?” As a computer user who could easily remember the earliest days of computer viruses, his confusion was understandable, especially when the media and sometimes even industry pros have a tendency to use those terms interchangeably when they really aren’t. The complexity of today’s malware landscape is complex enough to fill multiple textbooks, but I’ll try to boil it down to the things most professionals should know.
Hacking
The term “hacking” is probably the most mis-appropriated term in use today. Originally, the true purpose of hacking something was to make alterations to how a device (or system) operated in order to achieve results different from the originally intended purpose of the hacked object. This could take just about any form: the brilliant, life-saving hacks used to return the Apollo 13 crew safely to earth in 1961, all the way to subverting computer security systems to paralyze a giant corporation in 2014. The important qualifier in determining if something was “hacked” is identifying actual, human-driven intent. In most cases, malware-compromised systems are the result of an “infection” versus a purposeful hacking.
Malware
The term “malware” is a portmanteau of the two words “malicious software” which, as you might imagine, is used to describe any sort of non-native programming or code loaded into a device that subverts the device’s original purpose, with the result that its activities cause some form of harm (hence the “mal” part). Malware covers a broad range of code including the annoying pop-ups and browser redirects that take control of your internet searches to show you advertising (aka “adware”), to the incredibly disruptive (and effective) malware that encrypts your data and holds it for ransom (aka “ransomware”). “Spyware” still exists – though it has taken a dark turn from it’s original advertising roots of harvesting your demographics to now harvesting your sensitive personal information for the purposes of identity theft.
Viruses
Though a computer “virus” is still considered malware, most malware found today are not considered actual viruses. In keeping with the spirit of its biological predecessor, a true computer virus distinguishes itself by insinuating itself into or altering the host’s code with the express purpose of multiplying and spreading, something that is relatively rare at the moment in most malware, even the ones that spread via email. Though they exhibit virus-like infection patterns, their methods of spreading are more akin to poisoning or parasitic infection.
How it all comes together
It’s important to note that malware is often a primary tool in any computer hacking effort. It can be used to weaken or subvert security systems, usually by installing other programs that facilitate other activities that can range from gathering passwords, data and opening security backdoors to erasing hard drives and crippling critical network infrastructure. Though they find little comfort in it, I tell my clients that most malware infections are akin to getting the flu: it’s highly unlikely someone set out to get you sick. Typically you got it from someone who didn’t even know they were contagious.
However, similar to their biological counterparts, other digital pathogens may take advantage of your computer’s compromised immune system to cause further damage. At best, these malware infections take the form of a symbiotic parasite that may surface relatively innocuous symptoms (pop-ups, Google doesn’t work, etc.), but those redirects can lead you to further infection by more harmful malware. At the extreme, they can lead to the digital equivalent of metastatic cancer, usually with fatal results. Suffice it to say, any form of malware infection should not be tolerated, regardless of the host machine’s primary purpose, and should be taken care of immediately.
In the early days of malware, the most well-known viruses were designed to be noticed: at minimum they made themselves a nuisance through a variety of prankish behavior, all the way to the other extreme of destroying data (usually right after taunting you, just to make sure you noticed you got infected). Today, cyber criminals make their best money and achieve their political goals by going undetected for as long as possible, until they are ready to strike. Security firm Cylance has released a report that alleges networks of multiple companies considered to be critical infrastructure and/or highly sensitive – think airlines, natural gas producers, defense contractors – have been completely compromised and “owned” by an outside group suspected to be backed by the Iranian government. Through this coordinated campaign (also called an “Advanced Persistent Threat” – APT) dubbed “Operation Cleaver” by researchers, the unidentified group of hackers obtained complete control over the entire network infrastructures – all servers, network equipment and everything connected to them, and remained in control over the course of at least 2 years. The companies remain unidentified in the report, primarily for security concerns.
What this means for you:
In a conversation with a client today, we discussed the recent hacking takedown of Sony (another APT that completely owned their network), and why they made a more attractive target than my client who is only a fraction of the size. As mentioned above, malware was originally designed to wreak havoc in a chaotic fashion, but now that there is money or power to be gained from it, hackers are much more organized and pursuing targets which usually fall into one of two buckets:
- The average home computer user – easy to hack, but usually not worth much, except when campaigns net thousands of victims. The dollars add up quick.
- High-value companies or organizations – more difficult to hack, but once compromised, can result in significant monetary and political impact.
As you may have guessed, most small and medium-sized business fall squarely in the middle, and if they are hacked, it’s usually by a malware aimed at the first group. HOWEVER, the client and I considered another possibility: what if the object was to destroy data in order to disrupt your business? Even with a culture steeped in Hollywood fantasies of corporate espionage and sabotage, it may still be hard to imagine a competitor stooping so low as to put out a “cyber hit” on your organization. Considering that we already know organized crime is elbow-deep in funding and profitting from malware attacks, maybe that threat isn’t as far-fetched as we might have hoped. Coordinated attacks like Operation Cleaver are typically backed by nation states, primarily because the resource requirements are steep, but a smaller, focused campaign to take out a small company could be handled by a single, freelance “cyber-hitman”. If I can imagine it, you can bet this is already happening. We just don’t know about it yet.
It’s become a tradition here for many folks to do some technology shopping on Black Friday and Cyber Monday. The savvy shopper can often find great deals on otherwise expensive items, and if they are willing to brave the insanity of brick-and-mortar shopping on Black Friday, can sometimes get an amazing deal on the year’s hottest technology. Tablets are up at the top of everyone’s gift list, and cheap Android-based tablets are popping up everywhere, including a batch of sub-$100 tablets made by lesser-known (or unknown!) manufacturers that are flying off the shelves of discount retailers like Walmart and Walgreen’s. Unfortunately, these cheap tablets are shipping with a variety of security flaws that could pose a serious threat to you or your business.
What this means for you:
A detailed analysis performed by Bluebox Security walks through the flaws of 12 sub-$100 tablets, but I’ll simplify: if you’ve bought one of the tablets on their list, you should absolutely not access any of your important email, banking or business-service accounts with this device. The age-old rule of thumb applies here: you get what you pay for, and paying less than $50 for a tablet gets you a very unsecure device that should only be used for the most casual entertainment purposes. It is also highly unlikely that these devices can be made secure, as many of the flaws come from older versions of the Android operating system. Due to the limitations of the low-cost hardware use to build these tablets, upgrading the OS is highly unlikely without some serious hacking, and should only be attempted by a trained professional. At that point, you should really question whether the overall cost was really worth the initial savings. Long story short: these sub-$50 tablets should only be used as toys and never for serious business or personal use.
Image courtesy of Stuart Miles at FreeDigitalPhotos.net
Unlike previous high-profile security breaches we’ve reported here, the attack on Sony Pictures appears to be more than a “smash-and-grab” attack to steal customer information. In this particular case, the attackers have apparently acquired many sensitive internal documents, including lists of passwords and financial records, and are threatening to release those documents unless their undisclosed demands are met. Known as “doxxing” in the security industry, the threat began to appear on computers throughout the company on November 24, and effectively shut down normal operations. According to internal reports, the hackers gained access to a single internal server within the company, and spread from there.
What this means for you:
The details of how the attackers penetrated Sony security haven’t been released, but I’m willing to bet it was because an employee opened an attachment or clicked a link they shouldn’t have. No matter how competently implemented your security perimeter is, all it takes is a single human error to bring the whole thing tumbling down. In this particular instance, the error was made immeasurably worse by the hackers gaining access to unencrypted documents containing passwords to other internal systems. This lapse in judgement has paralyzed the company and will undoubtedly cost them millions to remediate.
The lesson to be learned from this: sensitive information, especially passwords, should never be stored in the clear on an unsecured spreadsheet or word processing document. At minimum, store those documents in an encrypted partition, or utilize a password manager with two-factor authentication. The other important lesson: don’t assume that just because you have a well-documented security policy that your employees are trained well enough to implement or follow it, even the internal IT staff.
If you’ve been following my advice on securing your technology, one of the steps you’ve taken was to use unique, strong passwords for all your critical online accounts. If you have more than 2-3, you might also be using software known as a “password manager” which allows you to store your complex, hard-to-remember passwords in one place, secured by a master password. Examples of these include Lastpass, 1Password, Roboform, and Passpack (the one I use). Security analysts at IBM Trusteer have now identified a new form of malware that specifically targets password managers, turning on a keylogger when it detects the program being launched, with the intent of capturing your master password, and thereby gaining access to everything stored within.
What this means for you:
Though this particular malware isn’t widespread yet, it has the potential to cause devastating harm to compromised individuals, if only because it gives the hacker focused and confirmed access to every account stored in that particular password manager. As is always the case, security is only as strong as the weakest link, and 9 out of 10 times we humans are the weakest link. This form of attack requires a particular type of keylogger and trojan infection, so don’t discontinue use of your password manager unless you have reason to suspect you’ve been compromised. While there are no guarantees, you are much less likely to fall victim to a trojan attack like this if you have legitimate, updated anti-malware running on all your internet-connected devices and keep your operating system updated. Constant vigilance is also required: don’t open strange email attachments, carefully read/avoid pop-ups, and always have an experienced IT professional on speed dial.
Note: if you are still running Microsoft XP in your environment, you are putting your whole organization at risk. I’ve been seeing an increasing number of malware infections on older operating systems as antimalware manufacturers end support for their software. In most cases, these machines are running in forgotten corners of your workplace, but may monitor or control critical components of your infrastructure. The cost to recover a compromised XP machine and remediating the damage it caused typically outstrips the cost to replace it. Don’t put it off until it’s too late.
Image courtesy of Salvatore Vuono at FreeDigitalPhotos.net
I can’t tie a knot that would safely secure a boat, nor can I carve a race-winning pinewood racer, but I’m pretty sure my time as a Boy Scout primed me for a career in technology. Their motto, “be prepared” made a deep and lasting impression on me, and I try to exemplify that attitude in how I conduct my business, and encourage my clients to do the same. This can take all forms – planning for the safety and security of your loved ones is something everyone should take very seriously – but many businesses are less than ideally prepared for adverse events. Though most folks think in terms of actual disasters – fires, floods, earthquakes and so on (welcome to Southern California!) – you should also consider smaller-scale catastrophes such as data loss, security breaches, employee malfeasance, theft, vandalism, and virus infections. Every business should have a Disaster Recovery and Business Continuity Plan, and if that business or organization relies on technology, those plans should include technology recovery and continuity as well. Don’t have a plan? Here are five important items to get you started on writing one:
- Back up your data – most folks have learned the hard lesson of data loss and at a minimum try to back up their most important data to a separate drive. But if that backup is stored on premise, it is just as susceptible to whatever might damage your source data. At minimum, a copy of your backups should be stored offsite in a secure location, and the best solution is a combination of cloud-based backups and regular rotation of local backups to an offsite location.
- Keep track of critical logins and passwords – most organizations that can’t afford to maintain a full-time IT person on staff often suffer from a blind spot in their operation manuals and documentation: logins and passwords for important technology services, as well as contact numbers or email addresses for critical vendor services. Keeping these small bits of information current and stored offsite can mean the difference between hours and days in recovering from a disastrous event.
- Identify your technology weak spots – if your business relies on physical technology to conduct business, consider how hard it would be to operate without that technology for days, or even weeks. Email or web server on premise? Payroll checks printed on special printers? Even if you don’t use any specialized hardware, can your business operate without internet or electricity? Identifying these potential vulnerabilities will go a long way to helping you minimize or eliminate them before they can cripple your business during adverse circumstances.
- Evaluate vendor preparedness – if you rely on service providers for crucial technology services, you should have at least a basic understanding of how prepared they are for disasters. Though you have less to worry about with large, experienced providers (even Gmail goes down from time to time), if one of your “weak spots” is a service provided by someone else, you should know if they are prepared to handle a disaster, and how the loss of this service would affect your own operations.
- Train your people – if you or someone in a leadership position is incapacitated or isolated from the organization, others need to be prepared to fill those shoes. This means training them or at least preparing documentation for them on all of the above. Nothing is worse than watching an organization flounder while everyone stands around staring at each other not knowing what to do.
These are only a few aspects of a well-formed DR/BC Plan. The larger the business, the more detailed and complex it will become, but every organization large or small, should have one. It may seem expensive or a waste of time, but putting the effort into a DR/BCP will be the difference between your organization overcoming a challenge or succumbing to a disaster. Be prepared!
Image courtesy of winnond at FreeDigitalPhotos.net
Let’s face it: that shiny new computer you “just bought” doesn’t have the pep it used to have when you first bought it. Professionally-managed computers can usually forestall this degradation by several years, but all Windows computers, no matter how expensive or powerful or well-maintained (one does not necessarily equate to the other) will see a gradual performance decline with regular use. There are some obvious ways to put some zing back into the device – replace it with a newer one (a simple, if expensive option), or wiping out the operating system and starting over (not for technically disinclined) can restore it to a “fresh out of the box” level of performance. A more reasonable (and lower-cost) approach would be to do some clean-up and maintenance, both physical and digital on your computer.
Blow out the dust.
Most desktops and laptops keep their electrical components cool by blowing air across metallic heat-sinks. Over time, those components can become caked with dust, severely impairing their cooling capabilities. When your CPU runs too hot, your computer is smart enough to slow itself down to prevent the CPU from overheating and frying itself. As you can imagine, if your heat-sink can’t keep your CPU cool because it’s covered in a fuzzy sweater, your computer will be forced to run slower (or even shut itself off, in extreme cases). Desktops can usually be opened up and blasted with canned air for a thorough cleaning, but laptops aren’t as easy. While the laptop is on, use your hand to find out where the hot air is coming from, then turn off the device, and give that opening a puff or two from some canned air. Make sure you do it outside or somewhere with good ventilation, as a large cloud of dust will probably be blasted out. If you happen to have a model that is sealed or uses passive cooling (no moving air or parts), dust is not likely to be a problem.
Clean up that hard drive.
Just like your physical space, clutter and junk can ruin your computer’s efficiency. This particular maintenance task is multi-faceted, so make sure you check each of these areas:
- Scan for malware. Even though you might already have an anti-virus program installed, you should check at least once a quarter for viruses and other unwanted software (pop-up generators, coupon offers, etc.) using a program like MalwareBytes or RogueKiller (or both). You might be surprised by what they find. Many viruses are actually designed to run “under the radar” to remain undetected for as long as possible, and may have circumvented your antivirus to do so. Infections are a primary source of performance slow-downs.
- Remove “bloatware”. Even brand new out of the box, most name-brand computers come installed with what IT professionals call “bloatware” – software added by the manufacturer that is really there to sell you additional products or services. If your computer was procured by an internal IT department you usually don’t have to worry about factory-installed bloatware, but over time your computer can still accumulate it’s own set of software “barnacles”. Take a look at the “Programs & Features” control panel (Windows 7) and carefully remove any unnecessary programs. HP and Canon printers are notorious for adding a several arguably useful programs that will slow you down. Write down what you removed, just in case something you do need stops functioning properly.
- Ignore “PC Optimizer” software. Remove them if you installed them (see #1). Defragmenting your hard drive used to be an important facet of computer maintenance, but modern hardware and operating systems essentially obviate any degradation caused by fragmentation. The same goes for “registry cleaners”. At best, most of the “PC Optimizer” products out there are just scams, and a small number are actually malware in disguise. There are legitimate cleaning products out there that will help you maintain your computer (CCleaner is one of them), but the performance gains you will see are merely from clearing out the “digital gunk” that accumulates over time.
- Make sure you have enough free space on your hard drive. Steps 1, 2, and 3 may help you out quite a bit here, but if you are working with less than 15% free hard drive space on your primary drive, you can run into trouble and performance issues. Remove any unused or old programs, and archive old data to external storage. Windows is infamous for eating up drive space with temporary files as well. I recommend using a program like CCleaner to clean them up rather than doing it manually, as it can be tricky to find all the various locations Windows (and other programs like Internet Explorer) stash these files.
Free up RAM.
You may gain some RAM from getting rid of malware, fake optimizers and bloatware, but it also can come from closing out of applications that you aren’t using. Many folks either forget to close seldom-used applications, on top of keeping memory-hungry ones open all the time. Microsoft Outlook and Google Chrome are both memory hogs, and can soak up quite a bit of performance, even if minimized in the background. If you don’t need to keep an application open, “Quit” the app and check your RAM usage via Task Manager. If you’ve “trimmed the fat”, but you still have less than 20% of your total RAM free, you are going to see performance issues. Even though Windows 7 can run on less than 2GB of RAM, if you are multi-tasking power-user, you are going to need more RAM, and should consider some form of hardware upgrade.
Consider a faster hard drive, and/or install more RAM.
If you’ve performed all the above and still haven’t achieved the performance boost you were hoping for, but aren’t quite ready to spring for an entirely new computer, you may be in a position to upgrade your hard drive with a faster drive. In many cases, solid-state drives (SSD) can provide a significant boost in speed, especially in laptops, which might have started with a slower hard drive out of the box (usually for cost and/or battery-life considerations). This is definitely not an upgrade that can be handled by the average computer user, but even after factoring in the cost of the drive and the installation, may make more sense than a completely new computer.
Depending on the hardware and installed operating system, installing more RAM may be another low-cost way to breathe new life into your computer. In order for your computer to use more than 3GB of RAM, you must have an 64-bit OS installed, which isn’t always guaranteed, so make sure you can use it before you buy it. In many cases RAM can be purchased inexpensively, and installed quickly. Windows 7 and later really shines when you can give it more than 4GB of RAM, especially if you run RAM-hungry programs like Quickbooks, MS Office or any graphic-intensive application like the Adobe Creative Suite.
Do the math.
Before spending money (and don’t forget, time is money as well), it may be worth the effort to do some back of the napkin calculations on whether your time and money is better spent on trying to revive an aging computer, or biting the bullet and getting a brand new one. Though it has slowed somewhat, technology advancement is still accelerating, and each successive generation of computers are seeing shorter usable life-spans. Where 6-7 years before it may have seemed reasonable to get 4-6 years from a well-built computer, today you should expect a maximum of 3 years of optimal performance from the average laptop or desktop, and a sharp drop off in utility past that age. These numbers are considerably compressed if you work in an industry where change is constant (software development, content creation, customer service/retail) and maybe less constrained in industries that are a bit more conservative (finance, health, manufacturing). As a civilization, we are all becoming increasingly technically savvy and heavily reliant on the internet, which is advancing at a blistering pace. To stay viable in the market our tools need to keep that pace, and until there is a revolution in how computers are built, they will need constant upgrading and replacing for the foreseeable future.
If you’ve never really put much thought into computer security, but recent media coverage has convinced you it’s time to start taking it seriously, it’s easy to feel a bit overwhelmed. Where do you start? Everyone’s being hacked – even the really big companies with entire teams of IT professionals! How can I, “average computer user” even hope to keep my stuff safe? First off, in the immortal words of Douglas Adams: “Don’t Panic.” There are a handful of straight-forward, easy to execute measures you can take that will improve your overall security profile. Consider these your first steps to developing a more secure technology future for yourself and your business. While these are definitely not going to make you hack-proof, it will make you a much harder target, and most hackers will move on to easier prey.
- Use strong, unique passwords where it matters. Keeping your critical passwords different will greatly lessen the impact when an account or an account provider gets hacked. This includes any accounts that handle your finances, but also things like your Facebook or other social media accounts, and definitely protect your email with a good, solid password.
- Change your home router password. This will make your home network less susceptible to hacking. I’d like to think more and more folks will learn how to do this (if only once or twice a year), but I realize it’s not always a walk in the park. Call your ISP – they can usually walk you through it via the phone, or if you’d prefer a more personal approach, call your local computer consultant. You’ve got C2 on speed dial, right?
- Make sure your antivirus software is running and up to date. Know what it is called, and understand how it appears on your computer, including warnings and detections. If you don’t have the time or inclination to manage this aspect of computing, there are plenty of companies (like C2!) that offer something called “Managed Support” that includes monitoring your antivirus software for you. This usually also includes making sure your Operating System stays up to date as well.
- Stay away from strange email attachments and unfamiliar websites. Most viruses are delivered via these two methods. If you receive an attachment you weren’t expecting, don’t open it, even if it looks legitimate. Call the sender and confirm they sent the email.
- Be cautious when installing software or driver “updates” especially when notified via browser pop-ups. These are frequently not legitimate and will lead your computer down a dark path of malware infestation. Be particularly suspicious if the “updates” suddenly appear when visiting a new website, or opening an attachment. That’s your signal to cancel any pop-ups and call for professional technology assistance!
These practices will improve your security stance, but there are still a myriad of other things that you could do to strengthen your defenses. To take it to the next level, you should consider the following questions:
- Do you (or your company) handle other people’s sensitive information?
- Do you work in (or for) a regulated industry? A publicly traded company? (Health, finance, government, etc.)
- Do you have intellectual property that is stored and/or transmitted digitally?
- How much inconvenience and expense are you willing to incur to reduce your risk?
- How much of your livelihood would be jeopardized if your computer was hacked?
Answering these tough questions usually requires assistance from an experienced IT professional, even on a individual basis. That being said, achieving any measure of improved security begins with everyone taking some measure of personal responsibility for security, and they can start that process by following the five simple practices outlined above.