Set a complex password and then you are completely safe. Unfortunately, it's not that simple. Maybe your password is not complex enough, you leave it lying around, you use it more often, you don't use a Password Manager or you shared it with your colleague. So you are not secure with passwords. But ... why not and how are you safe?
What are myths about passwords?
- Changing the password periodically is enough. This used to be recommended, but today it is no longer sufficient. In practice, people tend to use simpler passwords. If the password now is: Rotterdam21 (which is already weak), then after that it will be: Rotterdam21! and that is very easy to crack. Keep as a maxim: don't change your passwords until you think you've been hacked.
- MFA is neither necessary nor annoying. Of course, Multi Factor Authenticator takes some getting used to. Instead of just logging in with a username and password, you now also have an application that requires you to approve your login attempt. Fortunately, this gets used quickly and is really not as annoying as you might think. All you have to do is press "agree," whether on your smartphone or your Apple Watch.
This password is strong and unique. People are quick to think they have a good password, but what they don't know is that there are large databases of common passwords. Hackers can try as many as a few thousand combinations per second that way. Use LastPass to create good, strong passwords like 1rM6Lcc&IVrn$2 and where you can set the length and character types (letters, numbers and symbols) yourself. - Password reuse is okay. For logging into your work laptop, do not use the same password as for a web shop. If the database of that webshop gets out on the street, the attacker can try to log into the company where you work with that password. Curious if your data has ever been out on the street? Enter your e-mail address at www.haveibeenpowned.com. Chances are your data has been leaked at some point! Security as a process... what is it?
On our webpage on safety, we have listed some more risks.
What are Passwordmanagers and why do you need them?
LastPass is an example of a Password Manager. This is a kind of password vault where you can safely store all your usernames and passwords. You can only enter it with a master password. Once you are logged in, you can log in to websites very easily because they are already filled in automatically. Much more convenient but also more secure.
As a business, there is a very useful part of Passwordmanagers: password sharing. This allows you to easily share login credentials for certain websites. Think of the social media login details for the marketing team. You can then set it up so they can't see the password, but they can still log in. And is someone leaving the team or off duty? Then you can easily revoke access. That way you can keep control of what passwords go outside the organization. Much more organized and secure.
Why is it important to go "passwordless"?
Well, you now know what to believe and what not to believe about passwords. May be clear that just having a strong password won't get you there. So MFA, a password vault or Password Manager is already a lot more secure. But we go one step further: we go passwordless.
In our blog "a life without passwords," we talked briefly about logging in without a password. This is both more secure and easier than a password safe (even though that is also a reasonably secure option). You no longer have to enter your password, which also means it can't leak. It is also finer or easier because you can simply log in with an application. You have to invest some time once to set up the app, but after that, it's all super easy. At least - simple for you, but not for malicious people.
What we often hear is the concern about changing or breaking your phone. Then you won't be able to log in either. Fortunately, there are two simple solutions to that:
- Turn on your backup. This will backup the authentication codes and make it easy to restore everything when you switch phones.
- Store everything, on a third device. For example, use your tablet or another phone as an authentication device. Then when something goes wrong with your device, you can still log in this way and recover codes if necessary.
I can't see the forest for the passwords....
So with passwords you are insecure, and now you know how to do it. But taking the steps isn't so easy. Where do you start? Which IT solution is right for your company? IT is a people business, so how do you get people on board? Fair questions. Feel free to contact us to express your concerns and we'll take a look with you.
We provide IT services and products for the SME! We combine our passion for IT with knowledge and experience to help your business perform in a secure way. We work according to the 'secure by design' principle, whereby the IT security of your environment is central to every process, service or product.
Do you also want to outsource your IT?
Frequently asked questions about security
Is your question not listed? 1 email or 1 phone call is enough to get it answered. 010-2121806 | info@limenetworks.nl
We can make your staff aware of risks and risky behaviour. For security awareness we can give your staff a training (external or internal) with a partner who has experience in this. In addition, optionally a tool can be delivered to the workstations that measures knowledge, keeps it up to date and reports to the responsible persons. This way, you get a continuous improvement in risk awareness and avoidance of risky behaviour.
Yes and no. Cloud in itself has no security. Apart from the fact that on the outside (and sometimes on the inside) it is not visible what the physical location of your data is in the whole. But the more fish in the sea, the more fishermen on the water & the bigger the fish, the more effort one puts in to catching it. So it is with valuable data. So a cloud service is a valuable object for hackers because of the large amount of data. Your network is much less interesting.
Wrong. IT is complex and securing it is even more so. So it takes time, knowledge and skill to make you work in it safely - mostly in the background so you don't notice. 20 years ago, passwords were rare. 10 years ago, everyone knew some colleagues' passwords. 5 years ago, MFA was known but little used in SMEs. And we are only talking about passwords. We make IT simple for customers so that secure working becomes feasible and we can minimise your risks.
Retention literally means "to hold on to". With data and backups, retention is a very important factor. It is not only about retaining your data, but also about how much your data changes. If you have a backup every month and keep it for a year, this means that the retention goes back a maximum of a year and can result in a month's loss of data. It seemed like a good plan, but in practice it is not enough. Different backup strategies can make your data retention perform a lot better. In the Netherlands, SMEs are required to retain data that is directly linked to the added value of their products or services for at least 7 years. A backup of no more than 7 years is a big disappointment.
Working safely is a top-class sport. But your employees are not all top sportsmen. It is a complex problem that cannot be solved just like that. Your company has to deliver and your people have to perform. So you need help from someone with experience and focus on safe working. A reliable IT party can be a good starting point. They arrange the basics and help you further with safety, where necessary specifically in your company. For example, with procedures for staff turnover or the physical security of your company.
How secure you work can be measured. With a technical security test or pen test you can always look for weak spots in the security of your IT equipment, software and network. But also your website or developed application can be extensively tested. You can also have a procedural security test carried out. This has little to do with IT; it means testing how secure the actions are within your company. In other words: are your procedures in order?
Call your IT manager. These people will (probably) know what to do, provided they are familiar with the matter. Calling in your IT party, internal or external, is the first step. They will find out where the hack took place, know how to stop it immediately or cut it off and make sure the damage is limited as much as possible. You also want to secure data about the hack, such as log files of servers, network equipment, etc. This way you can also find out what went wrong or discuss this with a specialised security company (e.g. Northwave). This may also be important to see how you can prevent further security breaches and your insurance may ask about it.
Yes, it is. It's all about the purpose of your data and its security. It can range from a data room for sharing data with multiple parties for a company takeover - but also setting up labels on data in Office 365 so that your company and your data are compliant for regulatory or legal purposes. Above all, you must be able to work safely. Efficiently without being at risk.
Very secure. They do this by securing data storage and sending data. LastPass secures your data, sends it encrypted, stores it encrypted and lets you use MFA to use this data. So your login credentials and data are absolutely safe in this procedure. In addition, they have a clear bounty program for bugs, allowing you and other users to report bugs immediately. So LastPass does not sit idle until something goes wrong but works continuously on improvements to optimize security.
We believe that customers should own the IT that they have. We make customers aware of the risks they run and the solutions that are available to them. Of course, we point this out and indicate where things could possibly go wrong if you make other choices. We choose to work safely, but we understand your choices. That is how we work together and share knowledge and experience.
Every customer request that has to do with security or rights to data/systems is always discussed with the person in your organisation who is authorised to do so. This may be a member of the board, an IT manager or another director. This way, this is neatly recorded and controlled. This prevents someone from borrowing someone else's password, temporarily accessing a colleague's mailbox or giving an external person access to the CRM software without this being desirable.
Take a network, for example. If you build and manage a network, you have to standardise on security. By minimising the number of variations in the number of solutions, you can spend more time on testing, settings, basic configurations with optimal security, documentation. Also, different configuration options for customers are now much better researched and easier to support and secure. We research different security options and engage third parties to verify them. A setup that is properly standardised and configured reduces security risks and makes installation in the office much faster. We then provide controlled and timely updates to the software and settings. We monitor and measure what happens on your network. This way, it is easier to see when things go wrong. Separating guests, customers and non-company equipment from the company network is also essential to prevent abuse. We regularly review and adjust security for all customers in a single operation through central control. Finally, configurations are neatly stored and backed up. This way, you can immediately install replacement equipment if things ever go wrong. Secure by design' is not a method or a set of measures. It has to be in your DNA. This is how we at Lime Networks make the most complex IT simple.
The AVG is for personal data. In other words, data that you store or process that is directly related to people. Think of name and address data with bank account numbers or, for example, data about sick leave, insurance, remuneration, etc. That you have this data or process it is not the problem. But not thinking about who can see it or who can provide access to it or how it is stored and backed up, that's exciting. By thinking about this and gaining insight, you can design adequate processes.
It is an anagram that hones in on the amount of effort required. Everyone can jog for a while, some a little farther than others. But the marathon within 3 hours is already pretty tough. Practice, training, technique, good gear, experience takes years to achieve. It's the same with Safe Working. It's not setting up a firewall and installing antivirus. We are years past that stage. With this seriousness, you may also recognize that you don't have time, business-wise, to do top-notch engineering yourself, and turn to us for these things. We are trained, experienced and go for the medal so you can work safely.
That is a sober approach. But with your data, your company or others may be considerably disadvantaged. So always pay attention to how and where you share data.
If you are asked to log in somewhere, do not click on the link in the e-mail. It is that simple. If it's about banking, go to your bank's website and check the message service there. If it's about your documents online from a cloud service, go to your own login page that you know and log in there. If it's about a service from a customer, you can call them to confirm. Never log in with your own data, but only with the data they have provided. This prevents you from clicking on wrong links, accepting wrong proposals or downloading programs or giving permission that is malicious or illegal. It ensures that you are smart.
Take the example of Maastricht University in December 2019. Then a hack with a nasty piece of software rendered the entire university network with most of the server structure and workstations unusable. What was the damage:
- FOX-IT was called in on weekends, Christmas, New Year's Eve etc. to investigate and share knowledge with the hack, its clean-up and how to recover.
- A very large proportion of the computers had to be reinstalled. These computers also had to be checked for traces of the virus in parts that you cannot easily see (bios or secret partitions on the hard disk/SSD drive).
- Almost all production servers and backups locally became unusable. Only reinstallation was going to help for the recovery.
- A ransom was paid to the hackers to decrypt the network structure/Active Directory (the Volkskrant speaks of tons of ransom).
- A large part of the servers had to be reinstalled and data from backups had to be restored where possible.
- In-house and external employees spent many days doing all the repairs... This also happened during the December holidays.
- The damage to image was enormous. As a company, something like this can also cost many customers or scare off investors.
- One backup is no backup.
- Make sure you have at least three copies of your data, in 2 different locations, one of which is minimally secure.
- Check regularly that it really works and the data can be restored.
Not always. Sometimes backups also get infected or are not sufficient to get back to work quickly. How much data do you lose? What is the recovery time? How bad is it if the whole company can't work for 24 hours... or maybe longer? Dealing with retention is also important. If you were hacked last week and the consequences only become visible today, do you have enough backups/retention to look back into the past? An employee who left the company last year and deleted or compromised data is also a hack. Can you go back a year with your backup? Finally, you also need to have a plan if things go wrong and see how quickly you can get back on your feet. A continuity plan helps with that.
Then, of course, we are here for you as well. Suppose you are hacked, for example, we immediately make sure that the attack is stopped and that log files and traces are preserved as much as possible. This allows us to see the impact of the attack and what data may have been captured. This often helps in the process of understanding or with insurance. We work with standard procedures where we work on a similar methodology to resolve issues. It can also be valuable with forensics. It would be annoying if a hack (without data being captured) leads to an apology letter to all your customers or suppliers and image damage.
You don't have to. With Bitlocker you can neatly secure the data on your laptop against theft. A stolen laptop is no problem this way and data stays safe. Did you know that we can remotely erase your data in case of theft, provided your stolen laptop or phone is connected to the internet? The decryption codes are stored by us in your business environment so that in case of an emergency or hard disk replacement, the data can be safely read again.
At Lime Networks we work according to the ISO 27001 standard. This means that we have thought about physical and virtual security and have actively set up our processes accordingly. This is improved annually and checked by the TüV. You can read more about ISO here: https://limenetworks.nl/iso We use our knowledge of IT and security to make your environment as safe as possible. From your workplace, your fixed and Wi-Fi network, your servers, smartphones and cloud services.
With MFA you have two ways of identification. This often comes down to login details (username and password) and a code via an app on your smartphone. Someone who has stolen your login details still can't log in to systems or services, because this also requires the code from your smartphone. Have you or your company/supplier been hacked? Then this need not be a problem. We use Microsoft Authenticator for this. The extra login codes are not your own systems but open. With the Microsoft app, you can therefore also set MFA on your Gmail account, your bank, Office 365, supplier of crypto currency or your Apple ID. It is a generic standard.
LastPass provides a safe place for storing passwords, a kind of password vault that you can only access with a master password. It also helps you in your daily work with logging into websites and services. It works on your desktop PC or laptop and on your smartphone. It is free to use. It allows you to work securely with complex passwords so that this becomes very difficult. The paid variant is also useful for business purposes. You can create and manage accounts for a supplier or a social media account, for example, and share these with colleagues or external parties. They can log in (via their free LastPass account) and not see the password, but they can use it. If the account is no longer relevant to others, you can withdraw the permissions individually without having to change passwords.
This is trickier than you think and cannot be put into words in a few sentences. However, we did write a blog about it and you can find it here. https://limenetworks.nl/spam-of-phishing-mail-herkennen-voorkomen-en-oplossen
You can start by being aware that you want to work safely. This question has succeeded, so let's mention the next easy steps right away. Use legal software! Make sure you have a good antivirus/antimalware solution on your PC (pay for it too; no freebies). Always make sure you have the most recent versions and updates for your system and software. Also make sure you have the latest security patches and updates. Use a password manager (like LastPass; free for private use) and do not use the same passwords for different systems and accounts. Use MFA (multi factor authentication) for all services/accounts that are online. We are far from there yet, but with these measures you are not a low-hanging fruit for hackers and certainly not for the majority of online crime.
Working safely is our top priority. It is not a core value, but an aorta that runs through our company. With 'secure by design', we continuously ensure that our products and our own internal processes are based on Safe Working and are also designed safely. The customer is our focus. We make complex IT matters simple; security and Safe Working are the basis for this.
If we assume a safe workplace, then keeping it safe is a serious task. Most importantly, the workplace should always be up-to-date. For the OS, hardware, installed programs, antivirus/antimalware. By using Bitlocker and MFA, we make sure access is difficult. With policies for the firewall and by using monitoring we keep a tight rein on things.
We are Microsoft Gold Partner in three areas, for which the employees of Lime Networks have successfully completed many training courses and for which current customer cases have been approved by Microsoft. In addition, there are many certifications in the areas of security, voice, networking and the like. We work according to the guidelines and standards of our suppliers. Our ISO 27001 certificate without comments also ensures the correct working method and attitude.
With 'secure by design', every choice of product or service is considered in terms of its implications for the IT security of your environment. This means that the highest security requirements are taken into account, such as encryption, MFA, AVG, access control, etc. This ensures that we always stand behind our products and we know about data security and availability.
