Security Best Practices

In light of the recent security breach of the LinkedIn website and passwords, NMGI would like remind clients to take every measure possible to ensure the safety of your information.

In case you are not sure where to start, we have listed some  best practices to insure account security and privacy:

Changing Your Password:

  • Never change your password by following a link in an email that you did not request, since those links might be compromised and redirect you to the wrong place.
  • If you don’t remember your password, you can often get password help by clicking on the Forgot password link on the Sign in page of most websites.
  • In order for passwords to be effective, you should aim to update your online account passwords every few months or at least once a quarter.

Creating a Strong Password:

  • Use encrypted password management software to keep track of all of your passwords.
  • Variety – Don’t use the same password on all the sites you visit.
  • Don’t use a word from the dictionary.
  • Length – Select strong passwords that can’t easily be guessed with 10 or more characters.
  • Think of a meaningful phrase, song or quote and turn it into a complex password using the first letter of each word.
  • Complexity – Randomly add capital letters, punctuation or symbols.
  • Substitute numbers for letters that look similar (for example, substitute “0″ for “o” or “3″ for “E”.
  • Never give your password to others or write it down.

A few other account security and privacy best practices to keep in mind are:

  • Sign out of your account after you use a publicly shared computer.
  • Keep your antivirus software up to date.
  • Don’t put your email address, address or phone number on public profiles.
  • Only connect to people you know and trust.
  • Report any privacy issues to Customer Service.

*Modified from


Basics for safer downloading

used with permission from Microsoft at Work

Whenever you download a file—whether you open a spreadsheet attached to an email message, grab a cool little screensaver or mouse cursor from the web, or download music or video files from someone else’s computer—you could be putting your computer at risk.

You can take some basic steps to protect your PC and your company’s network:

  • Set up your computer with security protection. When you upgrade to Windows 7 from Windows XP, you automatically get a lot of security protection built right into the system.
  • Increase your awareness of attack methods so that you can be on the lookout for them.
  • Use tools to remove unwanted software that has been downloaded to your computer (despite your best efforts to prevent it).

Here’s how: [Read more…]


Cloud security: Risks vs. reality

used with permission from IBM ForwardView

The mobility of smart phones, netbooks, tablet PCs and other portable devices has fundamentally changed the when, where and how of our computing lives. And with cloud services, the source for data and applications used by these devices can be anywhere, too. The flexibility of cloud to scale bandwidth up or down at will, and its affordability as a pay-as-you-go service, have resulted in an interconnected, intelligent approach to smarter computing. [Read more…]


How Free Antivirus Software Can End Up Costing You

used with permission from Symantec




Free antivirus software may seem like a bargain, but it’s not. Learn what issues you need to consider before you download this particular “freeware.”

In this tough economy, getting something for free is always a good thing, right? Short answer: It depends on your tolerance for risk.

Take free antivirus software as an example. It may seem like a bargain, but it’s not. Here are the issues to consider before you download this particular “freeware.”

First and foremost, free antivirus software doesn’t provide the comprehensive protection you need against today’s biggest online threats. So when you trust your computer, applications, files and identity to free antivirus software, it can end up costing you more in time, aggravation, and money than you ever imagined.

Most free antivirus software is really just bait that some software companies use to lure you in. It’s usually a “light” version of one of their paid products that offers only limited protection against today’s online threats.

After you install most free antivirus software, you can expect to be hit with a barrage of annoying, time-wasting pop-up alerts telling you that it only provides “basic” protection. Then you’ll receive recommendations to switch to one of the software maker’s paid security products for “complete” protection.

Latest threats get a free pass
Another point to keep in mind: Experts agree that today’s biggest online threats come in forms that free antivirus software doesn’t stop. Threats such as rootkits, bots, keyloggers, hackers, phishing scams, and infected Web sites breeze right past most free antivirus software.

These threats can pose an even bigger danger than viruses, not only to your computer and files, but to your bank account as well. They can lead to a hard drive crash, system failure, or worse, identity theft. And that’s when using free antivirus software can get really expensive.

Also, free antivirus software is generally reactive. That means it only deals with threats after they’ve attacked and had an opportunity to do damage to your computer and files.

And that’s not all. Because free antivirus software offers only limited protection, you also have to find, download, configure, and install a standalone firewall and standalone spyware program to get the protection you really need.

That takes time. A lot of it. But the drain on your time doesn’t end there. When you build your own security suite using standalone free security software, compatibility issues can cause conflicting alerts and even hard drive crashes. That’s even more time wasted — and a whole load of aggravation you don’t need.

So what’s the bottom line? Free antivirus software simply doesn’t provide the comprehensive protection you need in today’s online world. When you add up the various costs listed above, free antivirus software isn’t free at all.


Controlling Social Media in the Business Environment


Everywhere you turn, you hear something about “Follow us on Twitter,” or “Like my Facebook Page.” Social media is a communications platform that is here to stay, and if you’re like many business owners, you’re wondering “what does this mean for me and my business? How do I use it in my business without it becoming a distraction?”

Social media should be a part of your business’s marketing plan, and controlling employees’ usage on these sites will help keep them productive instead of allowing them to use company time for personal interaction.

But now that businesses are effectively using social media as a marketing and communications tool, the question becomes whether to allow employees to use social media while at work or on work equipment.

Social media can be a distraction and it poses IT security risks. These sites are known to bring viruses and malware into organizations, so if you decide to allow employees to use social media for business or personal reasons, there are options to mitigate the risks.

One step is to craft and distribute an Acceptable Use Policy to all employees. This policy should clearly define:

  • Where employees can and cannot go online

  • What types of files employees can and cannot download to your network or upload onto social media sites

  • When and to what extent they are allowed to use the Internet for personal matters

  • Which types of activities are strictly forbidden

  • What the consequences are of violating these policies

  • Another step would be to make sure you put the appropriate controls on your employees’ computers.

It’s nearly impossible to police every activity your employees do online, but installing a Web filter is an easy way to control who can access social media sites and other websites that are not related to business. Web filters also block Internet applications that you don’t want your employees using at work and offer additional protection against malware and viruses.

These controls can be as loose or tight as you want them. You can offer access to specific employees and can even determine what time they are allowed to access these sites. For example, you could decide that your staff is allowed to access Facebook only from noon to 1 p.m. during their lunch period. Or you can decide that just your marketing staff can access it all day, every day. It’s a flexible system, so it’s really up to you to decide.

Additionally, web filters offer Internet usage reporting, which will give you a high-level look at your bandwidth consumption, how much time your employees are spending on non-business related Web activities, what sites they are visiting, as well as your exposure to viruses.

When dealing with potential security threats, it is always best to address the situation before something bad happens.

Your IT administrator, or outsourced IT department, can easily set up any of these systems, which will help secure your business from social media-related viruses and problems.


Protecting your wireless network


Why wireless security?
When you have a wireless network, you need to make sure it’s kept secure. An unencrypted network presents the potential for security breaches.


Wireless technologies that provide long-range connectivity can’t be contained within an office. When you use a network that’s not secure, hackers could potentially “capture” the information you’re sending back and forth. This means passwords, records, and more.

Isn’t my network already secure?
With some older wireless technologies, like Bluetooth, access is limited by physical proximity to the corporate network. However, wireless technologies that provide long-range connectivity, such as 802.11n, can’t be contained within an office space. That means anyone within range of a non-secure network can gain access.

What happens if I don’t secure my network? 
It may seem harmless to offer your network’s access to outside users, but it’s more than just letting people surf the Internet for free or accidentally send print jobs to your printer. There are actual hazards:

  • Breach of privacy: When you use the Internet, you are sending “packets” of information back and forth. Hackers could potentially capture and open these packets. This means access to passwords, financial records, customer information, private data, and more.
  • Slower access: Additional users on your network, especially those who may be downloading and uploading content, will slow down Internet access for all users.
  • Illegal traffic: Unwanted users may access your network for illegal Internet activity. If this happens, you may be caught up in any legal action taken.
  • Data usage overages: Many ISPs limit your monthly data usage. Unwanted users can cause your account to be in violation of those limits.

Basic wireless security: Encryption
When it comes to wireless security, encrypting your network is the most important security measure—it also may be the only measure you need. Whether sending confidential documents to the Internet or to your printer, encryption will scramble this information to outsiders.

What is encryption?
All of your wireless devices, including wireless printers, connect to your computer through your wireless router. When you encrypt your network, the information transmitted to and from your router is scrambled, making your network’s information unreadable to outsiders.

How do I encrypt my network?
Encryption means creating a difficult network password, also known as an encryption code or passphrase. Note that there are many methods of encryption, though not all of them are secure.

Read on to learn which encryption methods are secure and how to create a strong password.

Types of encryption
There are many methods of encryption, though not all of them are secure.

  • WEP (Wired Equivalency Privacy)
    This basic level of encryption isn’t considered secure. Because some older wireless printers only support WEP, you may have to choose between lowering the level of security for your entire network to WEP and connecting your printer using an Ethernet or USB cable.

    You might also consider upgrading your printer. Remember, though, while using WEP is not encouraged, WEP encryption is better than no encryption.

    To create a WEP password: Make a case-sensitive password using 10-58 digits (use the numbers 0-9 and the letters A-F).

  • WPA and WPA2 (Wi-Fi Protected Access)
    Created in response to WEP’s weaknesses, WPA and WPA2 are the preferred methods of encryption, which use passwords and passphrases. What’s the difference?

    password is generally one grouping of letters, numbers, and/or punctuation without spaces. Example: p@ssw0rrd

    A passphrase is a string of grouped letters, numbers, and/or punctuation (almost like a sentence), including spaces, longer than anyone could reasonably remember. Example: +hI$ 1s An 3xAmpLe 0F @ Ba$iC pa$sPhRa$3!

    To create a WPA or WPA2 password or passphrase: Make a case-sensitive password using at least 13 characters, including upper- and lowercase letters, punctuation, and numbers. If using a passphrase, include spaces.

    Tip: By including spaces, a passphrase is much harder to break than a password. There are many online sites that can generate random passwords for you.

Reprinted with permission from the HP Small Business Center


5 ways to win the PC security battle

Yes, as you’ve doubtless heard umpteen times, even the smallest business is vulnerable to a PC or network security breach. But you can find some peace of mind simply by taking some preventive measures. Better yet, by taking action before an incident occurs.

IT consultants believe that the most effective data security policies are those that treat security not just as an IT problem but as an underlying business process. What good are firewalls, for example, if you don’t have a way for trusted business partners to access your network from a remote location? How effective is a software patch management service if telecommuting employees who are rarely in the office aren’t encouraged (or forced) to update?

Step one for any security strategy means getting your entire organization involved in the discussion. If you’re an IT type, find yourself a champion who has line-of-business responsibilities; someone who understands your company’s customers. If you know very little about technology but want to protect your company’s most precious intellectual property assets, find someone who can approach the problem both tactically and strategically.

“You can’t just put locks on the windows,” says Rory Sanchez, president of SLPowers, a security consulting services provider in West Palm Beach, Fla. “You need locks on the doors, bars around the windows, a dog in the yard. And, just in case, you need a shotgun by the bed.”

Five questions to guide your security soul-searching

Before his company even thinks about recommending specific products, it focuses on understanding potential customers’ business concerns, says Ralph Figueiredo, director of sales and business development for Aurora Enterprises, a data security consultant in Torrance, Calif., says.

Here are five questions that Figueiredo requires his sales team to ask business prospects. They may help to provide a logical framework for your own security soul-searching.

1. Who are your customers and business partners?

For Figueiredo, this question serves two main purposes. First, it helps him understand which data is most critical. For a services company like Aurora Enterprises, customer records are its most valuable assets. A manufacturing organization, however, might be more concerned about safeguarding certain pieces of intellectual property or product information. By asking about business partners, Aurora can determine how “virtual” a company’s business operations are. If a company relies on a large number of subcontractors who need network access to confidential information, the security architecture will take on a different shape.

2. How do you communicate information with customers and business partners?

This question helps gauge the sophistication of a company’s IT operations as well as the flow of information throughout an organization. Are communications mainly relegated to e-mail exchanges? Or do customers and partners interact through online portals that require a password for entry? If so, what information is created and kept there?

3. Is your business in a regulated industry?

The ramifications of a breach of security are more severe for some business segments than others. In certain states, such as California, certain types of companies are required to disclose certain sorts of security breaches publicly. Figueiredo says most businesses are understandably eager to avoid this sort of publicity. “No company of any size can afford for 25% of their customers to go elsewhere,” he says.

4. Does your company currently subscribe to a policy for physical/facilities security or any other access control guidelines?

The moment you block access to information, you have to list exceptions to the rule. If a small business has already considered a system for controlling physical access at its sites, this can serve as the foundation for a data security project. Your facilities manager (if this isn’t you) can help identify pitfalls and benefits that may help better make your case with those within your company who may need extra convincing on the budget side.

5. Do you know where confidential data is stored?

In the past year, we’ve all read countless examples of respected companies who deployed extensive network security strategies, only to have valuable records walk away via lost or stolen notebook computers loaded with unauthorized information. This is, in part, an access-control problem. It also suggests a need for better data management policies, the foundation for any workable security plan.

Five ways to be proactive

1. Make sure hardware — especially firewalls, networks and IP telephone systems — is configured properly.

At a minimum, invest in a firewall and antivirus software that stops viruses at the gateway into the network.

How many times have you heard about an insecure wireless network that was secured simply by readjusting or turning on the basic settings? The same goes for setting up network servers and firewalls: Hire a technical person who can install them properly.

“A lot of security simply has to do with proper configuration,” says Alex Zaltsman, partner and cofounder of Exigent Technologies, an IT consulting firm in Morristown, N.J.

“I think security concerns need to be part of every project you do in technology,” echoes Kevin Geiger, manager of network integration for Acropolis Technology Group, another IT consulting services company in Wood River, Ill.

Acropolis offers a managed maintenance and monitoring service that does just this behind the scenes, keeping track of changes to all devices across the network including servers, desktops and laptops, and making sure updates for firewalls are handled promptly. The updates are tested in a lab setting before being dispatched at a client site, and changes are made at night so there is a minimal impact on the company’s day-to-day operations.

Security breaches are easier to track this way. Consider the case of one Acropolis client who had his laptop swiped. Because the laptop could be monitored from a remote location using Acropolis’s service, law enforcement officials were able to trace the alleged thief when he logged on to the Internet using the stolen computer. Kind of like the LoJack system for cars. “It’s now possible to offer small businesses something that rivals what larger companies have,” Geiger says.

2. Standardize your operating system.

It’s simpler to manage your desktops and servers if they all have the same basic profile and software, rather than trying to keep up with a hodge-podge of different versions.

Zaltsman says it’s less important to have the latest operating system, but it is vitally important that the operating system being run by a small business be supported by the manufacturer. “For small businesses, as a matter of practicality, Windows is really the easiest thing to maintain and secure. Having a qualified person work on it is really the best way to secure it,” he says.

3. Invest in ongoing patch management procedures.

Of course, widely used operating systems are also those targeted most often by hackers who want to compromise your data security, infect your systems with all manner of malware such as viruses or spyware programs that capture information, or barrage your company with spam. Windows XP and Vista, by virtue of their installed base, are probably the most widely targeted operating systems.

No doubt, Windows 7 will be an attractive target for hackers. But Microsoft went to great effort to build security features into the new operating system.The company also offers a range of tools to protect your computers and network against the latest security threats.

4. Consider using “hosted” applications.

Although this option isn’t necessarily for everyone, some small businesses are exploring the notion of making data storage-and by extension data security-someone else’s problem by using application services and keeping software off their desktops. One example is e-mail. About 44 percent of small- and mid-size businesses handle messaging via a service, rather than their own server. Likewise, about 40 percent use a software service for customer relationship management, according to statistics from Forrester Research.

More software vendors, including Microsoft, now offer their applications as subscription services rather than packages you load onto your computer. “By opting for a service, you are offloading some of the risks,” says Geiger. “In theory, these services have all the right stuff on the back end to be hosted securely.”

5. Adopt an integrated approach to security technology instead of trying to plug holes one at a time.

Even if you can’t invest in security products you’d like, it’s best to consider individual components that work together well-from firewalls, encryption software and antivirus services to spam filters. That way, as you add different features over time, they won’t mess up what’s already installed. Those in the IT industry refer to this philosophy as unified-threat management. “When we recommend security products, we talk about a platform approach and we try to recommend things that work together,” says Figueiredo.

One example is data encryption, which can be handled at many different junctures: in e-mail, on servers, on desktop and laptop hard drives. If a company invests in different point solutions to handle each piece, its overall protection will likely be less effective than if it had considered technology that addressed these problems in an integrated fashion.

Reprinted with permission from the Microsoft Small Business Center by Heather Clancy


Why “Secure Encrypted Email” is necessary in today’s office.

Email encryption is crucial for any business that uses the internet for critical transactions. Corporate secrets and client information that is transmitted over the internet must be protected. In an age where anyone can intercept your information with a few clicks of a mouse, extra measures must be taken.

What exactly is email encryption? It is a security measure that is attached to your email that scrambles the information until it has reached its destination. What this does is prevent outsiders from receiving the information and using it for illegal purposes.

Businesses large and small benefit from the use of secure email but everyone is at risk when they have information transmitting over the internet. Cyber crime is the fastest growing criminal activity in the world. Extra precaution is necessary when sensitive data is transmitted. The interception of personal or product information can be devastating to a corporation.

Email encryption is required in many fields, such as medical and financial industry. Because the data that is transmitted by these corporations contains protected privacy matters, companies in these fields must use an encryption service. Using encrypted email to protect your client’s information will allow you to comply with all regulations in this area as well as instill a sense of security in your client’s minds. Everyone realizes that a stolen identity can be a life damaging experience. Clients will feel safe knowing your company takes every measure to protect their identity and information.

Email encryption is not hard to use nor is it expensive. Simple applications can be installed on your desktop or ran from an internet based server. Programs range from a simple encryption tool to a high tech service that can scan every outgoing email mail for sensitive information and either block its delivery or send it encrypted. A business can safely and cost-effectively protect themselves and their clients simply by using email encryption for all of their internet communications.

When it comes to simplifying your search for e-mail security, we can help. NMGI has many vendors to choose from and offers many benefits while keeping the system simple and affordable.  You can Exchange Confidential Information with business partners, patients, board members, and customers through highly secure e-mail.

So why is regular e-mail so unsafe? First of all there is no encryption. When a regular e-mail travels the Internet through multiple, unknown servers, the contents are sent clear-text, vulnerable to ease-dropping and sniffing. In addition those messages could be stored on various servers for an indefinite amount to time. Do you really want to shout your customers’ private information in a public forum?

Our encrypted email service uses end-to-end 256-bit AES encryption, so protected messages are encrypted before they leave the sender’s desktop, giving a very high level of security.

Secondarily there is no authentication. This means that one can send a message claiming to be whoever he or she wants. Just because a message says it’s from Mr. Smith, doesn’t mean that he actually composed the message. He may have no idea that someone is forging his name and address.

Every user of the system must prove his or her identity when sending or opening a protected message. This ensures that only intended recipients can read a message, and verifies who the message is from.

And finally, there is no certification.  Let’s say Mr. Smith sends you an e-mail. With regular e-mail, there is no way to confirm that when you receive the message that the contents have not been changed. Using digital signature hashes, our service verifies that the contents of all messages have not been altered while in transit.

Depending on your line of business, you may fall under one or more government or industry regulations that require your company to take certain steps to secure electronic communications pertaining to your operation. If you are involved in the health care industry, the Health Insurance Portability and Accountability Act of 1996 (HIPAA) outlines how you must protect patient data. If you are in the financial services industry, the Gramm-Leach-Bliley Financial Services Modernization Act of 1999 (GLBA) requires you to protect non-public personal information. There are many other regulations and industry expectations that may apply to you, and even if there weren’t any, you owe it to your customers and clients to protect their data. If you are not using an e-mail product that protects data AND authenticates users, you are at risk of running afoul with government regulations.

Network Management Group, Inc. (NMGI) Can Help

Call our team today to get the strongest possible security features with respect to both encryption and authentication, satisfying the legal and ethical requirements that you must address. Visit our site for more information about Secured Email.