I’m sure many of you celebrated the passing of last year with no small amount of relief, and if you were one of the 190M people in the US who purportedly resolved to improve themselves this year, I’m going to bet at least some of you put “Get better at technology” on that list. While I heartily commend and support this goal, you should also know that the majority of us fail in New Year’s resolutions because we didn’t keep them specific, achievable and completable. A clock ticking over from “0” to “1” doesn’t make one year better than the previous, but one would think, “Surely, technology will be better in 2021.” Normally that would be a safe bet, but even my normally boundless enthusiasm for technology has been tempered by some trends I’ve watched develop in 2020. Regardless, getting better at (a specific) technology is worth pursuing, but you should also know that if it feels like an uphill battle, it’s because it will likely be just that. Here’s why:

You aren’t imagining things: technology overall is not getting any easier. One of the ongoing promises of technology is that it is supposed to be making our day-to-day lives easier. There’s no question that we are capable of more and we have access to things that weren’t even dreamed of 20 years ago, but for critical technology devices and services that are considered on the same essential tier as things like plumbing, automobiles, and central heating, they are still stubbornly complex, hard to troubleshoot, and well outside the understanding of any reasonably intelligent human. To be fair, most of us probably couldn’t install a sink or fix a car, but these technologies are largely standardized and have changed relatively little as compared to things like smartphones and computers. Even something that was dead simple for decades – the television – has become incomprehensible for many. For each thing that we simplify, two others seem to get more complex, and they seem to do so in service to two things: more security, and/or more functionality. Your takeaway from this observation: don’t feel like you are getting dumber. You aren’t – technology is changing faster than most of us can learn, and the constant level of change means that the knowledge we manage to gain quickly grows stale or obsolete. It’s exhausting, even for the experts.

If there is one thing that technology has failed to simplify – it’s security. As a matter of fact, in many ways technology has actually made staying safe that much harder. In decades past, if you did not want your data online, you avoided going online. Identity theft was elaborate and rare. Most of us had our credit cards stolen maybe once every 4-5 years, not 4-5 times a year. Our financial (and sometimes physical) security is regularly jeopardized by the negligence and carelessness of a megacorporation over which we have zero control, except in one, most meaningful way: Get out and vote for leaders who understand what is at stake and who have people and communities, not corporations (and their billionaires) as stakeholders. You should know what their position is on personal privacy and data protection. Don’t be afraid to ask hard questions if given the opportunity – your safety is at stake. However, if you are looking for a break from activism and politics (let’s be honest, who isn’t?), here’s a smaller, achievable new year’s resolution: start using a password manager and better passwords for all your critical services.

The best, most useful technologies are ones that are focused, limited in scope and, ironically, change more slowly than the “normal” pace of technology. This isn’t a new revelation, and nothing in 2020 or years before lead me to believe this will change any time soon. If anything, use this as a rubric to assist you in identifying what technologies you wish to “get better at”. Frustrated at the confusing changes on your new smartphone? Focus on the core things you need it to do (not what it’s capable of) and learn how to make those services consistent and worry free. If you can’t make it either of those, then perhaps the device is ill-suited to the task. The very root of technology is the Greek technos and logia which literally translates to “the manner or means by which a thing is gained.” Technology is a means to an end and not the end itself. If a device, app or service is making it hard to achieve something – it’s the exact opposite of technology.

Reuters reported on Dec 13, 2020 that several high-profile government departments have been hacked, and had been compromised as far back as March of this year. Early research points to Russian military-backed advanced persistent threat group known as “Cozy Bear” who utilized what’s known as a supply-chain exploit to penetrate the US Commerce, Treasury and Homeland Security departments, as well as up to 18,000 other US government and business targets. At the moment, officials confirm that the Russian hackers had full access to internal emails of the US Treasury and Commerce departments, but security researchers fear that this is only a small part of what is looking like a huge breach.

“Welcome to the club?”

While you might be tempted to savor some schadenfreude at their expense, the implications of this attack will be profound for the government and many Fortune 500 companies that were also likely compromised. This is also a bad look for managed service providers like C2, as source of the breach was MSP giant Solar Winds who, ironically, provides the technology management and security for the hacked government entities, and, whose own security monitoring platform was the source of the compromise.

As you’ve heard me say numerous times, there is no amount of money spent or technology applied that will provide you with a bullet-proof, perfectly secure environment. The fact that the largest MSP in the US can itself be compromised and used as a weapon against its own customers demonstrates this lesson unequivocally. The best protection from malware attacks and security breaches is a multi-layered approach:

1. In addition to having proper antivirus and spam filtering, firewalls and updated software, your employees should be trained regularly on technology security.
2. Your critical data should be backed up offsite. Not just server data, but possibly email and files on company principals’ personal computers. Remember cloud filesharing does not equal backup.
3. You should review your company’s security policy, especially if it hasn’t been updated with work-at-home specifics, and make sure that employees get a refresher on any changes made to the policy.
4. Your company should have at least an outline or basic disaster recovery and business continuity plan.
5. If you don’t already have it, consider acquiring cyber liability insurance that will cover security breaches, especially if you are a part of a regulated industry that deals with confidential data for clients and customers.

It’s hard to see how the pandemic could bring about anything positive that wasn’t gained at the cost of over a million dead (worldwide), but the change it has wrought is irrefutable. Certain industries like food services and hospitality have had to reshape their entire business model, and many that couldn’t change fast enough succumbed as the entire world retreated to our bubbles. Not surprisingly, most professional services firms (accountants, lawyers, financial advisors, banks, etc – and yes, MSP’s like C2) after the initial panicked spasms were overcome, turned out to be well suited to work remotely, and many are now making a leap of faith to go fully virtual permanently by eliminating one of the larger expense lines in their budget – the office lease.

In most cases, there is no technological reason why some companies can’t go completely virtual. Note the words I emphasized there. For several industries, especially the ones that were born of the digital age, business technology is easily well ahead of the need curve for the majority of organizations in that industry, so far ahead in some cases that many have no idea of what is possible and don’t even consider it. Let’s assume that the technology exists for your company to go virtual, so instead it may be useful to examine the reasons why you might need to consider carefully before tearing up that office lease.

Look before you leap!

As has been made painfully obvious by our (mostly) self-enforced lockdowns, some of us are realizing how much we miss the hustle and bustle of a busy office. Indeed, many companies thrived on spontaneous interactions that can only occur when people are physically adjacent. If you’ve noticed a decrease in productivity or creativity despite everyone having all the tools they need, you may have been one of those companies that developed a culture that was built around face-to-face interactions. Switching to online forms of interaction like videoconferencing and instant messaging will be difficult for people, and certain folks will never consider it as a suitable replacement for those watercooler meetings. The pandemic will end and for staff that look forward to returning to normalcy it may be particularly disheartening to find out that their workplace also fell victim to Covid.

Physical offices allow for a certain level of technology simplicity and manageability that are not achievable (yet) in virtual companies. Granted, if the internet was down for the office, no one was getting any work done, but conversely, it also allows IT managers to ensure a consistent level of service and security that they could literally put their hands on by walking down the hall. Running a company on the back of the internet and personally-owned electronics presents a new layer of complexity that is not easily serviced by a traditional in-house IT department, and it multiplies the potential security vulnerabilities to a level that will be unacceptable for some industries without very careful planning and discipline.

You should also consider the management style of the company’s leadership. Are they used to managing by sight, i.e. they need to see that their employees are busy and engaged, or can they trust that their people know what needs to be done without being physically supervised? It shouldn’t surprise you to know that while it is technologically possible to supervise remote employees just as closely (if not closer) as if you were standing over their shoulder, most folks will find this intrusive and offensive, especially if they are working from home. While I would argue that this type of leadership is perhaps a relic of bygone eras and definitely less effective in today’s workforce, I still regularly encounter it and know that leaders who rely on this style are especially frustrated by virtual staff.

Make no mistake, virtual companies are here. They were here well before the pandemic and I’m seeing many more making the transition as each week passes. While it may be tempting to consider permanently striking real estate leases off your budget, make sure you consider the underlying costs that might not be easily summed up on a spreadsheet.

Now that a lot of you are working regularly from home, you’ve probably gotten most of your technology (that you can control) working more or less reliably, but I’m willing to bet there’s at least one hunk of plastic and sand that is regularly giving you fits. Yes, we’re looking at you, laser or inkjet printer! Printer issues are one of the top ten issues we address for clients, but a good percentage of those issues are resolved by a very specific set of “tricks” that most people can do on their own.

“Sit. Roll-over! Print this page…NO! Bad printer!”

If you are having problems printing, here are some of the basics you can walk through to see if you can bring that recalcitrant printer to heel:

1. Check the printer queue. If you see a bunch of documents stuck in the queue but your printer seems to be oblivious to them, try canceling the jobs, and then resend them.
2. Make sure you are printing to the right printer. Sometimes Windows (and Macs, but less often) will reinstall your printer, but your apps don’t get the memo and will still try to print to a printer that no longer exists. Quit the app and relaunch if you notice this, and make sure you select the active printer when printing. If you have two printers with very similar names and one of them is marked as “disconnected” or “offline”, very likely your apps don’t know that something has changed.
3. Reboot your computer. There. I said it. Again.
4. Reboot the printer. This one actually still gets forgotten quite a bit. Modern printers have little computers in them and sure enough, those little computers can crash. Or they are waiting to apply an update but need a reboot to get it started, just like the big computer on your desk.
5. Check the printer’s built-in display. Most modern printers, even the ones that seem cheaper than the ink they use, have screens that can provide all kinds of information, including the state of the network connection, whether there are jams, or that dang cyan cartridge is empty again.
6. Reinstall the printer drivers. This is a little more advanced, but as I mentioned #2, Windows 10 is notorious for reinstalling printers with a Microsoft-version of your printer driver, which often leads to strange behavior.
7. Check your printing settings. Make sure you aren’t trying to print a page that doesn’t match the paper size loaded into your printer. Even the simplest apps use a standard print dialog box that has at least a half-a-dozen settings that can cause the printer to just stop, as if to say, “Whatever it is you are trying to print does…not…compute.”
8. Make sure your ink cartridges aren’t dried out. Cheap inkjet printers (heck, even the expensive ones), when not used for long periods of time, have a tendency to malfunction due to dried-out cartridges. Depending on your usage patterns, local humidity, and the quality of the cartridges, this period of inactivity could be days or weeks. Make sure you run regular nozzle checks, cleaning and print tests to keep the printer juices flowing.
9. Replace that cheap printer. Most of the printers in use today were probably bought pre-Covid, and most likely were chosen because they were cheap and intended for light-duty use. Nine months later and those part-time printers have become essential workers in a role they were never intended. If you are spending more time fixing jams, replacing cartridges and reprinting poorly imaged pages, it may be time to consider replacing it.

Image by pavelkovar from Pixabay 

While I regularly hear this question throughout the year, it seems seasonally appropriate to talk about this particular phenomenon. “My computer has a mind of its own,” or my favorite, “I think my computer is possessed,” could actually be an accurate assessment of the situation, but not in a supernatural way. A large majority of technology problems can typically be traced to something a human fouled up, but the interconnected nature of today’s technology means that this particular foul up doesn’t have to have been your own fault, or even someone nearby. Your computer issues could have arisen because of a mistake made by someone miles (and possibly years) away, which only makes the universe feel just a little more perverse than usual. In some cases, computer problems arise because of the irresistible second law of thermodynamics, which basically states that everything is slowly degrading over time, and if humans invented, designed, and/or assembled something, even infinitesimally small variations in quality can lead to the difference between your computer loading up properly or giving you the dreaded, “No operating system found” message.

The scary tech stories no one wants to hear…

“Your hard drive will fail.” This is not an “if” but a “when” determination. All hard drives fail – the trick is to replace them before they do, and to back up your data in the interim. Most modern hard drives do have alarms that will warn you that entropy is winning, but not everyone knows what to monitor, nor understand the data that is provided. While it’s true that spinning (traditional) hard drives have more moving parts than Solid State Drives (SSD), and thus is more subject to entropy than it’s solid state brethren, both can fail, and in fact HD’s are easier to recover in certain hardware failure cases than SSD’s because of how they work. Just because it’s SSD doesn’t mean you shouldn’t back up important data.

“Software updates are unavoidable.” Sadly, gone are the days of dodging Windows updates to keep your system and software running just like it did the day you installed it. Microsoft’s forced update cadence has most major software makers in lockstep, meaning that one can’t be updated without the other, and problems will arise if you aren’t marching to their tempo. And as is the case with everything humans do, some updates will cause problems.

“Your personal data is probably already on the internet.” You may not like to consider it, but there is a high likelihood that much of what you consider to be “private” is well known to both advertisers as well as less scrupulous elements around the world. Even so, this is no reason to be less safe with that data. Always challenge requests for this information, and consider the means by which you convey this data to the requestor, as well as who is asking especially if they are new to your circle of interactions.

“Using a single password for everything will get you hacked. Badly.” It may be the hardest to guess password in the world, but the fact that you have to enter it at all means it’s possible for someone to trick you into giving it up, and when that happens, they are on you like a horror-movie killer, and you won’t be guaranteed a Hollywood happy ending. Identity theft teams move at horrific speed and will make your life very unpleasant.

That’s probably enough scary stories for one Halloween. It might be strangely comforting to believe your technical issues are supernatural, as the reality is rather banal and depressing to consider, but attributing them to something otherworldly, while entertaining will only result in a real-world horror story that won’t be resolved with talismans, herbs or weapons.

Though just about any parent I’ve spoken with will tell you that they wish they could install a tracking device on their kids, maybe we should be more careful in wishing. This time the monkey’s paw is curling around a new smartwatch for kids that (up until recently) came with a hidden backdoor that, if used properly, could allow the device to take pictures which could then be uploaded to the manufacturer’s servers, as well as location data and sound as recorded by the devices microphone. Note that I wrote “used properly” in a purely technical and NOT ethical sense. While this feature could be extremely useful in locating a missing or abducted child the fact that this backdoor wasn’t disclosed is troubling, moreso once you consider where the smartwatch was made.

When does supervision become spying?

Though the device mentioned is being sold by a Norwegian company, they developed and manufactured it in partnership with a Chinese security firm that also happens to be on the US Commerce Department’s list of sanctioned companies due to it’s close ties with the Chinese government, which isn’t known for being a stalwart champion of human rights or privacy. In the product’s defense, the investigators who discovered the backdoor noted that being able to exploit the device would require access to data that would not be readily available. The manufacturer also pointed out that the data would only be uploaded to it’s private servers to which access was extremely limited, even to its own employees. On top of this, after being notified of the backdoor, the company has since issued a patch to close the backdoor.

Normally, I wouldn’t even bother pointing out this story to you as the smartwatch was never available for sale in the US (possibly because of the sanctioned Chinese partner) but I thought it would be a useful illustration of what is likely to be a common occurrence in the days ahead. Surveillance technology has taken remarkable leaps forward in ways that we both imagined and in ways that we overlook, like the fact that many of us have internet-connected devices in the same rooms as our children that is always listening and possibly watching as well. Technology is extremely complicated, and sometimes business partners aren’t always able to vet every aspect of their devices, especially if certain components aren’t built in countries that have the same standards as our own when it comes to privacy, security and quality. This is not to say that we shouldn’t buy things made elsewhere – what choice do we really have? – but that we should be mindful that it is no longer possible for the average human to ascertain whether the product we just put on our child’s wrist observes the same level of children’s rights we’ve come to expect in the US. Heck, even our own companies have gotten that wrong in the past, even when they should have known it was illegal.

Image by Tumisu from Pixabay

We are seeing a large spike in email phishing attacks across the board, both targeting our clients as well as their customers. These types of attacks are not new, but remain effective because the attackers are relying on a set of human behaviors that are predictable and exploitable. Gone are the days when scam emails were laughably obvious with their broken English and strange phrasing. The most successful attempts are now exploiting already-compromised email accounts, social media content and other publicly available information to make the phishing emails indistinguishable from genuine emails by using phrasings, nicknames and familiar work tasks or project language in the body of the email. This becomes even more effective when the potential victim is rushed, distracted, tired or too trusting. Up until recently, this level of effort was reserved for “whales” – principals of large companies, government officials and other, traditional “high-value” targets, but now we are seeing sophisticated phishing emails aimed at all levels of professionals.

What does this mean for you?

At the moment, there is no hardware, software or “silver bullet” that you can employ to combat this level of trickery except being constantly vigilant and knowing what to watch out for. To that end, I’ll try to highlight some of the common features of phishing emails which will help you spot them as long as you keep your guard up.

All phishing emails will typically have one of these goals:

1. Get a password from you
2. Get you to send money to an account
3. Get you to reveal sensitive information that can be used to get to #1 or #2.
4. Get you to install malware on your device

To that end, these emails typically follow a small handful of scenarios. They will likely contain:

1. Links to requested information that require you to “authenticate” using your login and password
2. Attachments that need a login and password to be viewed
3. Requests for you to reply via email with a pin or secret word to verify your identity
4. Links to install this app to view your requested files/information

Seeing as some of these tasks are also common in legitimate transactions, you’ll need to look for the second indicator that the email is not real: in most cases, phishing emails will not actually be from the sender they purport to be.

1. Check the actual senders address. How to check the actual sender’s address varies based on the device and platform, but you should absolutely know how to do this on whatever device, app or program you use to read your email. In Outlook, the actual senders address is typically easy to see, but on mobile devices this may not be the case, so don’t just assume the sender is legit unless you can 100% verify it. It is trivially easy to spoof a sender’s email address, and in most programs just as easy to spot as long as you are paying attention.
2. Does the sender’s address match the content of the email? This week several of my clients received emails notifying them that their Office 365 passwords needed to be reset, but the emails were sent from addresses that were clearly not Office 365 (in this example, “webex.com”). This is a dead giveaway as long as you know what the actual sender’s address should be. Check other known-good emails from the customer or platform in question, look at a recent bill or invoice, or check Google – but make sure you verify – don’t just trust the top search result blindly.
3. The email address looks legit. What now? This is easy – pick up the phone and verify that the sender actually sent that email. If this is a customer and they did, they shouldn’t be annoyed that you were being cautious. If they didn’t, you just gave them a heads up that their account may be compromised. If the email appears to come from a large company, you will want to verify by going to the website by manually typing in the website address or by calling the phone number that appears on your official bill. Do NOT rely on any information in an email to be genuine if you are at all suspicious, regardless of how authentic it looks.

Though it may feel like you need to have the observational skills of Sherlock Holmes and the paranoid vigilance of Mad-Eye Moody, there are a few simple, but critically foundational practices that anyone can adopt to safeguard and insulate yourself from attacks like this:

1. Use unique, hard-to-guess passwords for all important accounts, and pay attention when using them. Every. Single. Time.
2. Don’t store your passwords in an unsecured document on your computer, or in a single physical place (little black book) that could be lost or destroyed.
3. Make sure your malware protection is active and you understand how to check its status.
4. Have recent backups of all your important data stored in the cloud.
5. Pay close attention to everything you do on your device screens. The criminals only need you to be careless once.

Image Courtesy of Stuart Miles at FreeDigitalPhotos.net

There is an ongoing debate in the business world when it comes to deciding whether or not to pay a ransom demand when critical data systems are locked up in a successful ransomware attack. As a rule, technology and security professionals recommend against paying the ransom, but often times the business leaders will calculate the loss and potential risks against the ongoing and future harm the current lockout is causing, and decide to pay the money to get back to work quicker. This is a calculus that the attackers also weigh – how much is too much? What sort of threat does the ransomed data represent to the company?

What happens when they don’t pay?

Most of the time when the victim refuses to pay, the hackers move on to their next target, leaving their victim to pick up the pieces on their own. In the case of Clark County School District, critical school systems were compromised 3 days into the new school year. Despite threats by the attackers to leak the data they were holding hostage, CCSD choose to not pay the ransom, prompting the hackers to post some non-sensitive data as a warning that they meant business. When the CCSD continued to stand tough, the hackers apparently shrugged their shoulders and called the district’s bluff by posting the stolen data on both the regular and dark web, free and unprotected for anyone to download. The 25 gigabytes of data included employee social security numbers, addresses and retirement paperwork, as well as the PII of presumably the entire student body, including names, addresses, birth dates, grades and schools attended.

Previously, ransomware attacks seemed to be focused on businesses, allowing most folks to just shrug their shoulders (even if their own information was possibly compromised) as the impact was far removed from home. In this case, what if an organization over which you have very little influence made a decision that results in very real risk to your child’s future (and present!) livelihood? Clark County wasn’t the only school district to be targeted this year – Hartford, CT and Athens, TX school districts were targeted by similar ransomware attacks, resulting in closures and ransoms paid. As you might guess, schools are attractive targets – the stakes are high, and IT is typically not a high-priority budget item, making them easy targets. Even if the school systems had been backing up their systems (unlikely, see budget or lack thereof) it takes several days for systems to be restored even with a highly-trained and prepared IT team (unlikely), and meanwhile, the phone system is being lit like an angry Christmas tree by parents wondering what the heck is going on.

The reason ransomware attacks continue to be an extremely effective criminal activity is because how effective and profitable they can be. As is evidenced by their tactics and continued success, it’s very clear that ransomware campaigns are now an established weapon of organized crime. Unlike the stylized depictions of the “honorable mob” by Hollywood, today’s crime organizations seem to have no problem targeting our most vulnerable organizations, and aren’t squeamish about casualties along the way.

Image courtesy of Stuart Miles at FreeDigitalPhotos.net

Though you might not know it, you’ve probably seen at least one TikTok video, and if you spend any significant amount of time on other social media platforms like Face-behemoth you’ve definitely seen one. If you live with teens that have access to the internet, you have more than likely seen them spending hours consuming and producing Tiktok content. Not quite sure what it is? Well, don’t go downloading the app and creating an account without knowing that there are some serious security and privacy concerns about this Chinese social media platform. These concerns are so serious that the US Government threatened to shut down the app altogether unless it sold its US operations to an American company.

“A finger on the Monkey’s Paw curls up…”

Instead of closing a deal with software giant Microsoft with whom they have been huddling since the start of the trouble, TikTok announced over the weekend that US operations of the social media app would be “acquired” by Oracle. Once the initial shock had worn off the announcement and details were revealed, the reasoning behind the agreement became immediately evident. Where Microsoft had been proposing to completely take over TikTok US by completely severing from Chinese firm ByteDancer, Oracle has positioned itself in this deal as TikTok’s “trusted technology partner” which suggests instead of taking over, Oracle will be “partnering” with ByteDancer. Larry Ellison is a vocal and staunch supporter of the Trump administration, and this move allows Oracle to neatly deescalate a thorny problem for the White House as it headed to an ugly legal showdown with TikTok. It doesn’t hurt that this will also allow Oracle to tap into some serious capital, and gain them possible access to ByteDancer’s highly sophisticated AI algorithms that power the app.

At the moment, the deal still needs to be approved by the White House, but given the players and how neatly it ties off the issue for the politicians and business people, it’s hard to see this deal failing. Unfortunately, there are still plenty of questions about what role Oracle will play in answering many privacy and security concerns that still remain with the app. For now, our recommendation is for our clients to keep an eye on TikTok and to enjoy the content via something other than the app itself.