I initially distrusted this bit of recent news because of how it was disseminated. Twitter still has considerable reach for widespread messaging, but it has lost any trustworthiness as far as I am concerned since being taken over by a billionaire with questionable judgement hellbent on running the platform into the ground. Doing as one should do with something this ominous tweeted by the Denver office of the Federal Bureau of Investigation, I performed my due diligence to confirm a tweet posted a few days ago the aforementioned office’s Twitter account warning people away from using public chargers to power their mobile devices, as “juice jacking” is apparently still a thing. This was confirmed by the FBI’s official online safety webpage: https://www.fbi.gov/how-we-can-help-you/safety-resources/scams-and-safety/on-the-internet
What this means for you
I say “still a thing” as the Los Angeles District Attorney’s office got enough attention focused on this in 2019 by the mainstream media for it to actually make headlines for a few days until Covid showed up to hog the limelight. Despite this juice jacking’s inexplicable resurgence in the news in 2023, there doesn’t appear to be any documented cases of this exploit actually being used “in the wild.” Public charging stations have been steadily appearing at various other public venues like malls, shopping centers, hotels and tourist attractions since at least 2011, which is when the idea of juice jacking was first presented to the public at a Defcon exhibit entitled (insultingly and pointedly) “Wall of Sheep”. The objective of this display was to demonstrate the ease of which a mobile device (like your smartphone) could be compromised when physically connecting it to something which the user had no way of knowing was safe or even provided in their best interest. Ironically, even though seems to be more FUD marketing and yet another example of why we can’t have nice things, this is still actually solid security advice. You should always think twice before connecting your device, wireless or wired, to something that you don’t control, own, or at least have some reason to trust (ie. WIFI provided by your work, a friend’s battery pack, etc.), and this definitely includes charger cables which, in case you forgot in this day and age of wireless everything, can also be a data connection cable. Be safe, bring a battery pack with you or turn on battery saving mode until you get to somewhere you can trust.
Image Courtesy of Stuart Miles at FreeDigitalPhotos.net
One of my favorite story tropes is where the main character is magically transported back in time, enabling them to use their “modern-day” scientific knowledge to appear powerful and gain advantage over the relatively primitive denizens of their new surroundings. The most famous, well-known example would be the Wizard in The Wizard of Oz, but this idea appears throughout literature and film as far back as 1889 in Mark Twain’s A Connecticut Yankee in King Arthur’s Court. I’m also known to repeatedly quote Arthur C. Clarke (who also used this trope in his seminal work Childhood’s End), “Any sufficiently advanced technology is indistinguishable from magic.”
It’s not magic but it might as well be
The information security industry is currently abuzz with quantum computing talk, particularly so because of President Biden signing into law the “Quantum Computing Cybersecurity Preparedness Act” at the close of 2022 which instructs government agencies to begin preparing their security to withstand quantum-computing powered encrypting breaking tools. For most of us, quantum computing sounds like something you would read about in a Clarke novel, and if you try to get into the details, it might as well be sorcery. The second line of the Wikipedia article literally states:
Classical physics cannot explain the operation of these quantum devices…
Quantum computing – Wikipedia
And there are probably very few of us who could even begin to explain how today’s computers work, let alone one powered by quantum physics. Knowledge is power, and we are increasingly at the mercy of devices that are essentially magical to us, and more so to the ones that control the knowledge and technology that powers them. This is particularly relevant with regards to the vast amount of valuable data locked in LastPass’s stolen but encrypted data vaults. If I could tie it to another famous movie trope, imagine bank robbers attempting to crack a massive, steel vault with a fancy laser drill while counting down the seconds until the lock is drilled through. Substitute quantum computing for the drill, and hackers for the bank robbers, and you have today’s unfolding scenario: an escalating technology arms race that requires federal laws to be passed and a select few wizards anointed to make sure we are kept safe. Wizards are traditionally feared and respected in fiction for good reason, and as in Baum’s famous tale, not necessarily always operating with everyone’s best interests in mind. Does it require you to understand quantum computing, to become a wizard, just to keep yourself safe? No, but keep your eyes on the wizards (and their handlers – kings, presidents, lawmakers, etc.) to make sure they wield their power ethically and safely.
Image generated by deepai.org based on the single word “Wizard”
The news is aflutter with Artificial Intelligence bots doing things like writing job descriptions, college essays, passing Bar exams and apparently various other menial tasks that we humans would clearly rather have someone else doing, especially if that someone else doesn’t need to get paid, or at least paid a living wage. Both Microsoft and Google have announced their intentions to include AI in their business platforms, and while some of the things people have had AI do are pretty nifty, we also seem to be conveniently forgetting or at least disregarding the consequences of letting technology do everything.
“I’ll be back.”
Terminator is probably an extreme example of AI gone horribly awry, but we can already see faint echoes of a future where we become complacent about machines replacing humans across all aspects of our lives. Sure, it is nice that technology can assist with the dangerous, dirty and banal tasks, and for it to augment our capabilities in things where our physical bodies limits us, such as space exploration or virology or disabilities, but once it starts replacing things we should know how to do (even if not as well as a machine), we are placing a dangerous amount of trust in something that can (and will) fail. The most common manifestation of this is how most humans handle password management. We rely on technology to remember and automatically enter passwords for us on everything, including the most critical services such as email, banking apps and even the password management platform itself, and as a result, don’t remember any of them, or even realize that a password is required at all.
As a simple test of how vulnerable you might be to this over-dependency, if you imagined yourself being sat down in front of a brand-new phone or computer, would you know how to get access to something like your email, or your bank account, or even where your passwords are stored? If even imagining this scenario is triggering your fight or flight response, you might be relying on technology too blindly. There is a fine line between allowing technology to augment our capabilities as humans versus replacing basic skills that everyone should have in a rapidly evolving world. No AI spam filter in the world will beat well-trained common sense and skepticism. Using technology and our humanity together is the difference between utopia and dystopia.
Image courtesy of Geerati at FreeDigitalPhotos.net
If you were confused about what exactly was stolen in 2022’s LastPass breach – join the club. I think much of the confusion is stemming from the damage control LastPass is attempting to do around their massive data exposure that happened in August and was revealed to the public in December. We know that much of the info that was stolen was unencrypted – login names, email addresses, URLs, etc. and there was some debate as to whether or not the hackers stole encrypted data that contained actual passwords. I’ve had several folks tell me point blank that the passwords weren’t exposed and that LastPass is still safe. Well, guess what – we can put that misconception to bed now. LastPass has dropped another bombshell – one of their devs got hacked and the hackers used the dev’s compromised home computer to gain access to LastPass’s Amazon secure cloud storage to steal the encrypted password vaults of 30 million customers.
What this means for you
There’s a whole lot of gobbledy-gook in the LastPass release – it reads like technical explanations filtered through an army of lawyers and PR flacks (because it was), and beats around the bush on the most important part: LastPass is confirming that Hackers have exfiltrated everyone’s encrypted password vaults – and as I have been warning you about since I learned about this – it is only a matter of time before someone brute-forces their way into someone’s encrypted vault and is rewarded with the password trove within. And they have all the time in the world to do this, which means you have much less time to change any passwords that were stored in LastPass. Hackers will target high-value password vaults first – they will look for ones that have lots of bank account logins or other potentially lucrative access points, but you can bet they will put computers to grinding out every single vault, big or small – because they can, and they have the resources to make this investment pay off.
Stop reading. Go change your passwords.
Image by Gerd Altmann from Pixabay
It’s hard to be witty about something you despise with every ounce of your soul, so I’m not going to even try. Do whatever it takes to make sure your less savvy family members know how to identify and ignore the absolute deluge of scam emails and phone calls people have been getting this year. You can help by pointing out the patterns they use, which will hopefully lead them to recognize the patterns and the methods these criminals will use to scam them. At minimum, it will help instill a healthy skepticism which is an essential foundation for being secure in today’s internet-soaked society.
What to watch for
A very common scenario involves the target receiving an email letting them know either that the moderately expensive product they ordered or subscribed to is in danger of not being delivered because of a payment issue. They are hoping that their target is actually a user of this product and will call to make sure the purchase isn’t in jeopardy, or call to cancel, thinking either they forgot to cancel it previously, or somehow mistakenly ordered it (also not difficult to do for real, unfortunately – another despicable marketing tact used by every major technology platform).
It is distinctly possible that you might actually receive a legitimate email from any of the scapegoat products scammers are using, but where they will differ will be in how they attempt to solve “the problem”. The scammers top priority is to get their target on the phone and their primary objectives are fairly obvious – they want access to your PC, or they attempt to get various payment methods identified to make sure your “purchase” is completed. Most obvious is when they insist on getting access to a payment platform that is tied directly to a bank account, whether it be Venmo, Gazelle or your bank’s actual mobile app. As a rule of thumb, unless the person on the other end of the line is someone you know and trust, you should never grant someone access to your PC, or even consent to installing software on your computer or phone. Full stop, no exceptions. If there is ever any doubt or suspicion, stop what you are doing and get a second opinion from a trusted expert.
If you or they have received an email from a recognized brand but are unsure of whether it is a legitimate notification and don’t have ready access to an IT or security professional, pick up the phone and call a known, good phone number for the company, or at minimum, go to the brand’s website typing in the website address directly into the URL field. DO NOT USE SEARCH UNLESS YOU KNOW HOW TO SPOT THE DIFFERENCE BETWEEN ADVERTISEMENTS AND SEARCH RESULTS. Teach yourself and everyone around you how to go directly to a website by typing in the actual website address. Searching for “(famous brand) Support” can lead to various fake websites built expressly to trick people into calling them instead of the actual company. Hackers pay to push these fake sites to what appears to be the top search result, but they are in fact relying on the various search engine advertising page placements to trick people into thinking they picking the top search result.
Criminals are counting on everyone being overwhelmed and rushed. They are hoping you will call the number or click the link they have conveniently provided to you. They will catch you in a moment of weakness and that mistake may end up being very costly. Go slow. Verify carefully. Be sceptical. Ask for advice from someone you trust and know personally.
Image by kewl from Pixabay
(Edited 12MAR2025 – Grammar and readability)
I’d hazard a guess that this could be more broadly stated that people world-wide don’t understand how their data is being used by companies and governments, but the basis for this generalization comes from a study published by the US by the Annenberg School for Communication entitled “Americans Can’t Consent to Companies’ Use of Their Data.” A bold statement for a country for whom a large part of their economy is derived from monetizing digital ones and zeroes, but the subtitle tells us the rest of the story: “They Admit They Don’t Understand It, Say They’re Helpless To Control It, and Believe They’re Harmed When Firms Use Their Data – Making What Companies Do Illegitimate.”
Doesn’t exactly roll off the tongue
The survey asked 2000 Americans 17 true-false questions about how companies gather and use data for digital marketing purposes, and if participants were to be graded on the traditional academic scale, most of the class failed, and only 1 person out of the 2000 got an “A”. An example of the type of knowledge tested:
FACT: The Federal Health Insurance and Portability Act (HIPAA) does not stop apps that provide information about health – such as exercise and fertility apps – from selling data collected about the app users to marketers. 82% of Americans don’t know; 45% admit they don’t know.
“Americans Can’t Consent to Companies’ Use of Their Data: They Admit They Don’t Understand It, Say They’re Helpless To Control It, and Believe They’re Harmed When Firms Use Their Data – Making What Companies Do Illegitimate.” Turow, Lelkes, Draper, Waldman, 2023.
You should read this paper (or at least the summary), but I understand it if you don’t. Even though it reads easier than your typical academic paper, the topic is uncomfortable for those who have an inkling of what’s at stake, and for most of us, we’ve already resigned ourselves to not being able to do anything about it because we feel powerless to do otherwise. And this is their point – this paper wasn’t written merely as an academic exercise. The authors are basically claiming that because very few of us can understand the variety and extent to which companies collect and use our data, there is no possible way we can give genuine informed consent for them to do so. But unless there are laws that protect us in this regard, American companies can do as they please, and they will do so because their responsibility is not people but to stakeholders, and in this current market, minding everyone’s privacy is not nearly as profitable as ignoring it.
This report now provides evidence that notice-and-consent may be beyond repair—and could even be harmful to individuals and society. Companies may argue they offer ways for people to stop such tracking. But as we have seen, a great percentage of the US population has no understanding of how the basics of the commercial internet work. Expecting Americans to learn how to continually keep track of how and when to opt out, opt in, and expunge their data is folly.
ibid, Page 18 (emphasis mine)
As is often the case with academic papers, rarely do the authors take on the monumental task of attempting to solve the issue, but they at least acknowledge that our lawmakers must acknowledge this enormous elephant on the internet before anything can be done to address it.
We hope the findings of this study will further encourage all policymakers to flip the script so that the burden of protection from commercial surveillance is not mostly on us. The social goal must be to move us away from the emptiness of consent.
ibid, Page 19 (emphasis mine)
Perhaps a letter to your elected representatives asking them if they’ve read this article and have any interest in doing something about it?
Image courtesy of TAW4 at FreeDigitalPhotos.net
Part of our occasional series “The Elephant on the Internet”
I remember the very first appearances of Facebook on the internet, and I happened to be working at a university when it first started making waves on campuses around the world. In our particular case, some students posted pictures of some other under-age students consuming alcohol, and this particular campus was (and still is) famously “dry”. I’d only heard about it because leadership prepped me for a conversation with some concerned parents about privacy and what exactly the university was going to do about it. I don’t remember the exact conversation, but I wasn’t able to offer much assurance to anyone at the time. Even back then (Facebook started in 2004), the internet and social media were well on their way to being out of anyone’s control. Fast forward nearly 20 years, and we have companies who are literally able to thumb their noses at just about any governing body, and has been proven time and again, literally able to influence elections and who is supposed to be in charge of policing themselves.
The trap is already sprung. We are in the net.
Unfortunately for everyone (including those of us who try to keep social media at arm’s length) the various platforms have become deeply embedded in our daily lives, to the point where we believe we could not survive without them, and for those brought up on it or who have made careers on these platforms, this might be actual a dreaded reality. A recent article published in Forbes shined a rare light on an internal practice at TikTok – already under fire for various privacy and security concerns – called “heating” which essentially is a button select folks at TikTok can push to make a video go viral. I’m sure some of you suspected that the notion of things going “viral” has long been controllable on the various platforms on which this can occur, but this particular article also details the why “heating” would be used strategically to secure the platforms dominance in the market. It’s an old carny trick – hook a bunch of suckers by letting someone win a big, showy stuffed animal in a rigged carnival game early in the day. The prize-winner walks around the carnival, happily advertising the game – in this case, perhaps you are an upcoming streamer on a different platform. Someone at TikTok has determined you would be a good investment and “heats” your video, causing it to go viral. The newly popular TikTokker tells his other platform audiences about his blow-up on the platform, and all of a sudden TikTok has thousands more eyeballs. You see how this goes? The insidious part is next: without the rush of a “heated” video, the TikTok creator is now chasing a high that was artificially created. Imagine this is also something that Facebook or Twitter does for its most popular creators, except when that creator’s views seem lackluster, they offer a little help in form of letting them pay to promote their content. Sound familiar? The first hit from a drug dealer is always free, and once you are hooked, it’s hard shaking that addiction. Meanwhile the drug dealer quietly pockets the cash while tsk-tsking about fickle viewers. This next hit will fix you right up, eh?
Image courtesy of TAW4 at FreeDigitalPhotos.net
Most of you know that I do not recommend using certain “freemail” accounts for any aspect of your professional lives. In short, many of them are poorly supported, barely secured and frequently targeted by cybercriminals because of these elements and because of who uses them. The ones that are being heavily targeted now are mostly legacy accounts that were established by old ISP companies that have since merged, sold or otherwise transformed into another company. Examples include sbcglobal.net, att.net, roadrunner.net, aol.com, yahoo.com, earthlink.net, etc, but they all share a common aspect: responsibility for maintaining the services that power these emails has been passed from company to company like a red-headed stepchild and the services are clearly suffering from neglect.
I’ve had this email for years! I can’t change this email!!
Invariably, we’re going to have this conversation, with you or perhaps with an elder member of your family. And yes, for some folks, changing an email address that you’ve had for 10+ years is going to be a huge pain. There are alternatives to completely abandoning the account, but there is still going to be some work to keep it, you and your loved ones safe. It depends highly on the email service, but most of them have made token efforts to upgrade their security and accessibility. Log into the account, look for account settings, specifically security to see if any of the following are available:
- First and foremost, if they offer multi-factor/2-factor authentication, set it up and use it. This is a no-brainer, and just about everyone has a cell phone.
- Set up a backup email account – most email services offer the ability to set another email account as a way to rescue or recover a forgotten password.
- Even if they can’t do 2-factor, some freemail services let you attach a cellphone for recovery purposes. Support personnel (if/when you can actually reach them) can use the cellphone to verify you are the proper owner of the account when you are in the process of attempting to recover access.
- Check to see if the password to secure this account has been compromised using this website: https://haveibeenpwned.com/Passwords. Even if it hasn’t, if it’s an easy to guess password, change it and write it down if it’s not one you or they are going to easily remember.
In the end, these are only stop-gap measures. Some email domains are currently on their 4th or 5th handoff, and at a certain point they are likely going to end up with the lowest bidder – something you never want for a critical technology service like email. Your eye should be on transitioning to a more sustainable platform like Gmail or Outlook.com.
Photo by Christin Hume on Unsplash
Late in the year, just in time for the holidays, LastPass released more information about the security breach they experienced in August of 2022. And as could be expected, it wasn’t good news. It wasn’t the worst news, but in my estimation, it’s still going to create a lot of headache and work for their customers, some of whom are using their service based on our recommendation. C2 uses LastPass internally but not to store client passwords, but regardless we will be migrating away from them as soon as practically possible.
What this means for you
If you’ve read their statements regarding this security breach you might be under the impression than your passwords are safe. The encrypted vault that was stolen was a backup of customer data from September 22, 2022. If you started using LastPass after that date, you are not part of the breach and you are actually in the clear (for the moment). If you’ve been using LastPass before that date, it’s highly likely that hackers have access to your encrypted passwords. Per LastPass, if you choose a strong master password, those passwords are relatively safe. However, given enough time and computational resources, any encryption can be broken, so the clock is ticking on how long they will remain encrypted. It’s more important that you should know that each password’s associated login name and URL were also captured in the data stolen and those important bits weren’t encrypted. This gives hackers many more points of data to hone their phishing attacks and will result in highly targeted, realistic phishing emails that purport to be from services you actually use, utilizing specific information you will recognize, to lend credibility to fake emails. Given that it is definitely easier to trick humans than to crack 256-bit encryption, we’re banking on the fact that everyone, not just our clients will be facing numerous phishing attempts in the coming year. What can you do to combat (I do not use that word lightly) this?
- Any passwords stored in LastPass should be changed. If you have lots of passwords stored, this may take some time, but it will be well worth it.
- Any opportunity you are given to utilize multi-factor authentication to further protect an account should be taken.
- Review your master password. If it is not complex and/or easily guessable, you should change it. Be careful! If you mess this process up and lose your master password, they will not be able to recover it. You will have to abandon the account and the data within.
- Regard emails received from your known services very carefully, especially if it results in a login prompt or a password inquiry. Phishing emails are getting very sophisticated. If you receive an email that looks legitimate, don’t use the links embedded in the email regardless. Hand-type the URL of the service you need to use into your browser or use a favorite/shortcut you created to get to the website. Make sure you don’t mistype the URL – there are plenty of fake domains created specifically to capture mistyped URLs. Don’t search for the website using your browser – this can also lead to fake websites if you aren’t paying close attention.
- Consider moving to a different password management platform. Industry opinion is mixed on whether or not LastPass was using best-in-class technology and methodology to store your data at the time of the breach, but they are being widely criticized for their lack of transparency and urgency in addressing the breach. Understand that with a breach on this scale, multiple lettered agencies will be involved as well as numerous lawyers, so transparency will always suffer in these types of matters.
If you have questions about how you might be impacted by this breach, or what your company can do to implement password management at an organizational level, please give us a call or send us an email. We can provide a platform that can provide secure password sharing for you and your co-workers that is also administered and supported by C2.
Image courtesy of Stuart Miles at FreeDigitalPhotos.net
Traditionally I like my year-end messages to be hopeful, but as I am someone who does not mince words when it comes to your technology, I don’t come to you at the close of 2022 with a message of optimism. If anything, I want to congratulate you for surviving this year with your sanity and health intact, if not your technology security. Accomplishing all three is something to be commended, and I am sad to report that not all of our clients were as successful, including a client and good friend who passed unexpectedly this year. This post is dedicated to him, and to everyone who fought the good fight this year, either against cyberattacks, Covid and everything between.
“Don’t take security for granted.”
This is my year-end message for you: If there is one trend I can clearly point to in this past year (and in years previous), is that you are the first and last line of defense in the war for your technology security. You are the first and last line of defense in maintaining your privacy. We here at C2 Technology are willing and able to throw ourselves in front of as many attacks as we can, but we can’t be with you in every moment, everywhere you touch technology, nor should you want us there. In almost nearly all cases of hacks that we have worked through this year, and numerous others I have read about, breaches and compromises have occurred because attackers are very successful at exploiting human, not technology, weaknesses.
One thing that I know for sure is that you can count on even more cybersecurity attacks in every aspect of your personal and business technology. There is big money in compromising your security – organized crime has moved, full-scale, into funding, staffing and managing highly effective fraud call centers and hit-squads whose primary objective is to trick you into giving them access to your stuff and then cleaning house. On top of this, there is no singular magic bullet, app, governing body nor enforcement agency that can protect you. Let me reiterate – there is no perfect, monolithic solution C2 or any other organization can provide to you to keep you perfectly safe. As with cold weather, layers are better than just a single, bulky jacket. Your best defense will be a collection of services, software and best practices. Your configuration of those layers will vary based on personal or organizational need, but everyone should at minimum be considering the following:
- Constant vigilance is the key. You should assume that you are under constant cyberthreat and act accordingly. As much as it feels distasteful say this given the current political climate, you should consider yourself on cyber-wartime footing with no armistice or ceasefire in your near future. You may have heard me jokingly compare this vigilance with paranoia, but my gallows humor may have done you a disservice in making light of this situation. Make no mistake, this is very serious, and I do not see anyone being able to let down their guard anytime soon. As I mentioned above, C2 can’t always be there for a magical, “Get down, Mr. President!” moment. All we can do is attempt to train you to spot the peril. If you have employees, you should bolster their vigilance with actual, formal training – not everyone will have the same level of urgency on technology security as the principals of the organization, but training and testing will help them understand the importance and impress upon them that this is a part of their job responsibilities, regardless of their role in the organization.
- If you aren’t using unique passwords and multi-factor authentication for your critical online accounts, you are doing the cyber equivalent of leaving the keys in your running car in a dangerous neighborhood. You should check your most-used passwords here, and if any of them show up on the list, immediately change that password everywhere you used it. Right. Now. If you can turn on multi-factor authentication for your banking and other critical service accounts and haven’t already done so, do so. Right. Now.
- Back up your files to a cloud provider on a daily basis. You can get a very reliable, easy to use service for as little as $7/month, and you might already have access to a form of cloud backups through Apple or Microsoft by virtue of other services for which you are already paying. Keep in mind, services like OneDrive and iCloud are a form of short-term backup, but do not normally provide long-term recovery of files deleted more than 30 days ago, nor can they fully protect against certain forms of ransomware attacks, so make sure you consult with your friendly neighborhood technology professional about what would be appropriate for your use case.
- Keep work and personal separate. This may be difficult to do especially if you work from home on your own technology, but the more you intermingle, the more risk you take from one side or the other. This also goes for using your home network if you have family that aren’t as security conscious as you, especially seniors and young children, both of whom are particularly vulnerable to scams that most of us spot in a heartbeat. Your technology professional will have ways to segment your work and home life, but it will result in additional expense and inconvenience.
- At the business level, antivirus and malware protection has evolved into what is now known as “endpoint protection.” The free software that comes with your new PC is NOT endpoint protection, nor is the product they are trying to upsell you. The primary difference between the two is that last generation products relied heavily on definition tables and scheduled scans of your files, which is not nearly as effective against modern malware tactics that sometimes don’t even involve something being installed in your hard drive, or software that literally changes by the hour. Endpoint protection relies on algorithms that are able to analyze the behavior of softwares and services to determine if they might be harmful, and more importantly, are designed not only to protect the device on which it’s installed, but also to protect the network to which it is connected, something that previous gen antivirus software could not do.
- If you deal with any kind of PII (personally-identifiable information) where that information is stored on your computer – even if only in transit – your hard drive should be encrypted, especially if the device housing it is easily stolen, such as a laptop. Fortunately, both Windows and Mac OS do include encryption, but it isn’t always enabled, and in the case of Windows, it is only readily available in the “Professional” (more expensive) variant of their OS.
- You should be making sure your operating system and main software apps are kept up to date. Microsoft releases updates on a weekly basis, and about half of them require a reboot to full apply. Windows 10 (and to a certain degree 11) is so stable that it can go weeks without rebooting but waiting that long can cause other problems that will be a lot more inconvenient than restarting your PC. We recommend clients restart their PCs as frequently as every 3 days – this accomplishes needed housekeeping tasks as well as clearing the “virtual crud” that all PCs accumulate through daily use, especially if you like having lots of windows and apps open.
Technology security requires a holistic approach, and I don’t mean tuning your chakras and making sure your gut biome is balanced. Every aspect of your technology, from internet provider to software services, every device used in the work process, all users, and even your clients’ and customers’ technology should be reviewed and considered when formulating your security approach. The days of “set and forget” are long gone. Protecting your technology is something that will require effort and, dare I say, constant vigilance.