Are You Having A Technology Emergency?

True North Networks Blog

True North Networks has been serving the Swanzey area since 2002, providing IT Support such as technical helpdesk support, computer support, and consulting to small and medium-sized businesses.

How hackers used little-known credit-card feature to defraud woman, $1.99 at a time

hacking-credit-card- Credit card hacking

Whoever stole Leslie Robison's credit card number could have bought a new computer, a flat-screen TV, or an expensive trip overseas.

Instead, the thief tried to scam her just two bucks at a time.

In January, Robison discovered more than a dozen charges at a $1.99 each from Google for hundreds of gigabytes of cloud storage she never ordered. She called her card issuer, Capital One, which refunded her and mailed a new card. But the charges returned each month through May, even as Google said it shut down the fraudulent account and Capital One sent more cards, Robison said.

In the end, she was billed 64 times totaling $127.36 on six cards over five months, according to credit card records. The charges didn't stop until she canceled her account.

Robison, 61, of Lansdale, Pa., is the victim of a trend in credit card fraud in which criminals buy cheap, recurring digital subscriptions that largely go unnoticed by banks and consumers. Meanwhile, major companies now automatically receive updated credit card details when a customer's card is lost or stolen, so recurring charges don't stop. Thieves seize on that service to continue their frauds even when consumers get new cards, cybersecurity experts said.

"It's exasperating and it feels invasive," Robison said. "It feels like someone is robbing your house and everyone knows who it is but you, and you can't stop it."

Making matters worse was Capital One's apparent inability to end the fraud. According to Robison, Capital One claimed only Visa could stop the charges because it offers merchants the account updater service. But Visa said it doesn't update an account without a request from the customer's issuing bank, suggesting Capital One was responsible.

In a statement, Capital One said it made an "administrative error."

"Our agents should have recognized the alternative process of getting the customer's consent to be removed from the updater program," said Capital One spokesperson Amanda Landers.

"Capital One has now resolved this for Ms. Robison and we recognized with her the inconvenience this caused, especially given the updater program typically is found to be very convenient for customers," Landers said in a separate email.

Read more here: 

Continue reading

SEC 'guts' RIA industry with a footnote, degrading fiduciary duty

A single word change has upended wealth management.

By substituting an “and” for an “or” in a footnote last week, the SEC watered down the meaning of investment advisors’ fiduciary duty to clients. The change prompted sharp criticism from multiple quarters, including thehow to choose a financial advisor commission’s own investor advocate, and left industry insiders bewildered.

"It guts the RIA industry,” says Brian Hamburger, founder of MarketCounsel, a regulatory compliance consulting firm. “RIAs are not fiduciaries anymore.”

As part of the Regulation Best Interest rules package, the SEC revised its interpretation of an RIA’s fiduciary duty. Previously, advisors had to seek to avoid conflicts of interest and make a full disclosure of all material conflicts of interest. The SEC changed the “and” to an “or.”

That alteration “weakens the existing fiduciary standard by suggesting that liability for nearly all conflicts can be avoided through disclosure,” SEC Investor Advocate Rick Fleming said in a statement critiquing the rulemaking package.

“I do not believe this is what an investor would reasonably expect from a fiduciary, nor does it align with the ways that real-world investment advisors tend to view (and describe) their fiduciary obligation,” Fleming said.

The broader implications could be far-reaching. If, over time, the fiduciary downgrade erodes the quality of service provided by the RIA industry, as numerous experts predict, it could depress the value of all RIAs. Client assets for RIAs, including hybrids, grew at a compound annual rate of 8.6% from 2007 to 2017 compared to 4.1% for broker-dealers, including independent broker-dealers and insurance advisors, according to Cerulli. Many industry insiders credit this fast growth as stemming from the high legal standard the commission has required of RIAs. But the SEC’s revision could undermine independent advisors’ advantage in the marketplace.

The commission has rendered the definition of fiduciary "meaningless," says Barbara Roper, director of investor protection at the Consumer Federation of America.

In his own statement, the one commissioner who dissented from the majority in the vote, Robert Jackson, writes that, "the commission today concludes that investment advisors are not true fiduciaries."

Chairman Jay Clayton, who along with two other commissioners voted for the change, asserts otherwise, describing the new guidance as "reaffirming — and in some instances clarifying — the fiduciary duty investment advisers owe to their clients."

“This rulemaking package,” Clayton says in the SEC’s announcement, “will bring the legal requirements and mandated disclosures for broker-dealers and investment advisers in line with reasonable investor expectations, while simultaneously preserving retail investors’ access to a range of products and services at a reasonable cost.”

Indeed, the overall rules package passed last week, which included Regulation Best Interest and Form CRS, placed a heavy emphasis on disclosure.

The inescapable problem with disclosure, long demonstrated in academic studies, is that it does not protect investors from advisors bent on harming them, experts say.

"We all know consumers read glossy sales literature and not disclosure documents that are dozens and hundreds of pages long with dense language written by lawyers," says Ric Edelman, co-founder of Edelman Financial Engines, one of the largest RIAs in the country with about $200 billion in client assets under management. "Clients accept the verbal assertions of their advisor rather than reading prospectuses. It is therefore essential that the advisors be required to behave as fiduciaries, rather than disclose away behaviors that are not in the best interests of their clients."

Edelman calls the commission’s revision Orwellian. "This is doublespeak and this is very worrisome that the government has overtly created a confusing landscape that will only serve to harm investors," he says.

In response, the SEC provided the following statement: "Our rules and interpretations are designed to enhance the quality and transparency of retail investors’ relationships with investment advisors and broker-dealers, and preserve access (in terms of choice and cost) to a variety of types of advice relationships and investment products. ... Our fiduciary interpretation in no way weakens the existing fiduciary duty; rather, it reflects how the commission and its staff have applied and enforced the law in this area.” The commission did not elaborate when asked how a change that makes the mitigation of conflicts of interest voluntary either preserves or strengthens RIAs' fiduciary duty.

By opening the door for RIAs to legally introduce conflicts of interest into their practices, the whole RIA space runs the risk of falling prey to the Market for Lemons economic phenomenon, says Benjamin Edwards, associate professor of law at the University of Nevada’s law school in Las Vegas.

Market for Lemons is a foundational work of Nobel Prize-winning economic research that demonstrates how, in a market for used cars, when consumers have no way to determine the quality of the vehicles, they discount the price for all vehicles they buy, to account for the risk of buying a lemon.

"As this happens, it drives down the quality of the goods in that marketplace to the point where all you have left is lemons," Edwards says. "If people can't distinguish between good advice and bad advice, you will gradually see bad advice take over the market."

The SEC's position on this subject springs from a fundamental misunderstanding of the limits of disclosure's effectiveness, Edwards says. "The SEC tends to fetishize disclosure because it's so important for public companies, [but] nothing like that can operate in the financial advisor space ⁠— it's a misplaced disclosure fetish."

When it comes to public company regulation — a core responsibility of the commission — large, well-funded industry players such as mutual fund companies, hedge funds and research giants like Morningstar minutely dissect disclosures to derive valuable insights. Many investors then buy products and services, often guided by insights gleaned from those disclosures, Edwards says.

But wealth management is a different beast. Disclosures given to clients are unlikely to face the level of scrutiny and expertise conducted by research firms and mutual fund companies. When the SEC leaves the analysis to retail investors — who, even if they had the time to read through volumes of disclosures, lack the background to understand them — the value of any transparency evaporates, Edwards says.

The SEC has been blinkered before about the impacts of its rulemaking, says Dave Yeske, co-founder of RIA Yeske Buie in San Francisco.

That's why the FPA sued the SEC in 2004, after the commission proposed an exception to the Investment Advisers Act for brokers. For a number of years, the exception allowed brokerages to receive fees for offering financial advice on retirement accounts despite the fact that they were not fiduciaries, says Yeske, who was chairman of FPA’s national board at the time.

The SEC move was well-intended, he thinks, surmising that commissioners thought it would reduce brokers' tendency to churn client accounts for higher commissions.

But they overlooked different ways the exception enabled brokers to self-deal in those accounts, according to Yeske, such as selling clients in-house products for high commissions. A federal appeals court overturned the SEC’s exemption for brokers in 2007.

Edwards says he expects to see legal challenges to the SEC's new regulation, in much the same way that the brokerage industry killed the Department of Labor's fiduciary rule by challenging it in court.

The SEC has already faced a bevy of criticism. AARP lambasted the commission, saying the rulemaking “weakens the interpretation of the Investment Advisers Act, undercutting decades of accepted practice.”

Yeske wonders, "Who the hell ever thought we'd ever see the Investment Advisers Act under such assault?"


Continue reading

Five emerging cybersecurity threats you should take very seriously in 2019

Ransomware isn’t the only cyberthreat your business will face this year. Here are five emerging threats that leaders need to know about.june 2019

The cyberthreat landscape continues to evolve, with new threats emerging almost daily. The ability to track and prepare to face these threats can help security and risk management leaders improve their organization's resilience and better support business goals.

The number of high-profile breaches and attacks making headlines has led business leaders to finally take cybersecurity seriously, said Sam Olyaei, senior principal and analyst at Gartner.

"Today, not only are business leaders and the business community understanding cybersecurity, they know it's important to their business outcomes and objectives," Olyaei said. "The problem is, there is still a lack of understanding as to why it's important."

Firms must work to bridge the gap between communicating the technical aspects of cybersecurity and the business outcomes, such as customer satisfaction, financial health, and reputation, Olyaei said.

Keeping track of new threats and not just established ones like ransomware is key for a strong security posture, said Josh Zelonis, senior analyst at Forrester.  

"Whenever we develop our strategies for how we're going to protect our organizations, it's really easy to look at things that you're familiar with, or that you have a good understanding of," Zelonis said. "But if you're not looking ahead, you're building for the problems that already exist, and not setting yourself up for long-term success. And that is really the number one reason why you need to be looking ahead -- to understand how attack techniques are evolving."

Here are five emerging cybersecurity threats that business, technology, and security leaders need to take seriously this year.

1. Cryptojacking

Ransomware has been one of the biggest threats impacting businesses in the past two years, exploiting basic vulnerabilities including lack of network segmentation and backups, Gartner's Olyaei said.

Today, threat actors are employing the same variants of ransomware previously used to encrypt data to ransom an organization's resources or systems to mine for cryptocurrency -- a practice known as cryptojacking or cryptomining.

"These are strains of malware that are very similar to strains that different types of ransomware, like Petya and NotPetya, had in place, but instead it's kind of running in the background silently mining for cryptocurrency," Olyaei said.

The rise of cryptojacking means the argument that many SMB leaders used in the past -- that their business was too small to be attacked -- goes out the window, Olyaei said. "You still have computers, you still have resources, you still have applications," he added. "And these application systems, computers, and resources can be used to mine for cryptocurrency. That's one of the biggest threats that we see from that standpoint."

2. Internet of Things (IoT) device threats

Companies are adding more and more devices to their infrastructures, said Forrester's Zelonis. "Organizations are going and adding solutions like security cameras and smart container ships, and a lot of these devices don't have how you're going to manage them factored into the design of the products."

Maintenance is often the last consideration when it comes to IoT, Zelonis said. Organizations that want to stay safe should require that all IoT devices be manageable and implement a process for updating them.  

3. Geopolitical risks

More organizations are starting to consider where their products are based or implemented and where their data is stored, in terms of cybersecurity risks and regulations, Olyaei said.

"When you have regulations like GDPR and threat actors that emerge from nation states like Russia, China, North Korea, and Iran, more and more organizations are beginning to evaluate the intricacies of the security controls of their vendors and their suppliers," Olyaei said. "They're looking at geopolitical risk as a cyber risk, whereas in the past geopolitical was sort of a separate risk function, belonging in enterprise risk."

If organizations do not consider location and geopolitical risk, those that store data in a third party or a nation state that is very sensitive will run the risk of threat actors or nation state resources being used against them, Olyaei said. "If you do that then you also impact the business outcome."

4. Cross-site scripting

Organizations struggle to avoid cross-site scripting (XSS) attacks in the development cycle, Zelonis said. More than 21 percent of vulnerabilities identified by bug bounty programs are XSS areas, making them the leading vulnerability type, Forrester research found.  

XSS attacks allow adversaries to use business websites to execute untrusted code in a victim's browser, making it easy for a criminal to interact with a user and steal their cookie information used for authentication to hijack the site without any credentials, Forrester said.

Security teams often discount the severity of this attack, Zelonis said. But bug bounty programs can help identify XSS attacks and other weaknesses in your systems, he added.

5. Mobile malware

Mobile devices are increasingly a top attack target -- a trend rooted in poor vulnerability management, according to Forrester. But the analyst firm said many organizations that try to deploy mobile device management (MDM) solutions find that privacy concerns limit adoption.

The biggest pain point in this space is the Android installed base, Zelonis said. "The Google developer site shows that the vast majority of Android devices in the world are running pretty old versions of Android," he said. "And when you look at the motivations of a lot of IoT device manufacturers, it's challenging to get them to continue to support devices and get timely patches, because then you're getting back to mobile issues."

Organizations should ensure employee access to an anti-malware solution, Forrester recommended. Even if it's not managed by the organization, this will alleviate some security concerns.

Continue reading

5 Reasons Your Organization Needs to Adopt a Zero Trust Security Architecture

Traditionally, network architectures were designed and secured according to the "castle-and-moat" model. Like a medieval fortress, an enterprise data center was imagined to have impregnable and unbreachable zero trustwalls. All traffic entering or exiting would pass through a single access point, where a security gateway appliance would sit, like a knight in shining armor. This device would police the network traffic on a packet-by-packet basis, allowing traffic it deemed ‘safe’ unrestricted access to the network’s trusted interior.

Although this model is as outdated as chain mail is for 21st-century military combat, its legacy endures in assumptions and presuppositions that can prevent business decision makers from choosing the most effective cybersecurity tools and solutions for today’s complex threat landscape.

Zero Trust was initially proposed by Forrester Research in 2010. It is a paradigm designed to counter outdated ways of thinking about network security by providing a new model that’s better suited for today’s distributed, diverse, data-centric architectures.

The Zero Trust model is centered in the core concept of "never trust, always verify," and the goal of adopting a Zero Trust architecture is to eliminate internal "trusted" zones within the network and instead make security omnipresent throughout the digital business ecosystem.

Here’s why this is so important right now.

No 1.: Network architectures no longer have a single point of ingress/egress that can be monitored and controlled

With the rise of cloud-based services and increasing numbers of employee-owned, mobile and the internet of things (IoT) devices connecting daily, the idea that networks have fixed perimeters has become largely meaningless. The shape and configuration of an enterprise network are in constant flux, as different combinations of devices access various services from moment to moment.

Nearly half of all enterprise workloads already run in the cloud, and researchers estimate that as many as 94 percent will be processed in cloud data centers by the end of 2021. As increasing numbers business processes rely on cloud-based computing power, the idea of an internal "trusted" network makes less and less sense.

No. 2: Credential theft is an enormous problem today

According to recent reports, stolen credentials or misused privileges were used to gain access to network resources in more data breaches last year than any other method. And credential theft has held this spot -- as the No. 1 threat action successfully employed in breaches -- consistently for the past 10 years straight. And, the volume of phishing email observed by researchers continues to increase.

Needless to say, perimeter-based defenses are utterly ineffective against these sorts of attacks. Once an attacker has access to privileged credentials, they’re free to move laterally across the network at will, unless continuous traffic monitoring is in place that can alert on these anomalous activities, or multi-layered access controls require a second type of authentication.

No. 3: Employee error remains the most common cause of data breaches

In one recent survey, examining cases of unauthorized exposure of regulated data (such as protected health information or credit card numbers), 92 percent of incidents and 84 percent of breaches were due to "inadvertent" or "unintentional" actions. Its reality: we’re all human, and we make mistakes.

Zero Trust architectures that include multi-layered defenses and data-loss-prevention (DLP) solutions can help mitigate these risks. Perimeter-based defenses cannot.

No. 4: Traditional firewalls and legacy anti-virus/anti-malware solutions cannot stop all threats

Simply put, these products don’t offer adequate defenses against today’s emerging and increasingly sophisticated file-based threats. With more than 350,000 new types of malwarebeing unleashed daily, even the best signature-based endpoint protection platforms cannot be relied on to catch them all.

When you’ve implemented a Zero Trust architecture, you should have resilient, layered defenses in place to ensure attackers who have evaded your endpoint-based detection mechanisms cannot have free access to your computer’s or other devices’ resources on the network. Adopting a "never trust, always verify" mindset also means seeking out solutions that will prevent unknown files from executing or making changes in your environment.

No. 5: Zero Trust presents a solid foundation for robust, resilient security architectures

Adopting a Zero Trust framework doesn’t mean you need any particular tools or solutions. It does mean that you need to change how stakeholders throughout your organization think about information security risks and how they collaborate to bring about meaningful change.

If you design multiple layers of protection into your infrastructure’s backbone -- and make sure the most effective technologies, like cloud-based verdicting for all unknown files, are among the solutions you’ve chosen -- you’ll vastly decreasing your chances of experiencing a significant breach.


Continue reading

Unsecured database exposes 85GB in security logs of major hotel chains

An unsecured database that exposed the security logs -- and therefore potential cybersecurity weaknesses -- of major hotels including Marriott locations has been uncovered by researchers.log files may 2019

VpnMentor researchers Noam Rotem and Ran Locar published their findings on Thursday, noting that multiple hotels have been embroiled in the security incident.

The team, including co-founder of vpnMentor Ariel Hochstadt, uncovered the problematic server on May 27, 2019, while using port scanners to map areas of the Internet.

The server has been connected to Pyramid Hotel Group, a hotel and resort management company.

Pyramid says on its website that the company "provides superior operations, owner relations, and support services to its assets and investors."

The firm manages hospitality and resort properties in the US, Hawaii, the Caribbean, Ireland, and the UK. These properties include 19 Marriott locations, Sheraton hotels, Plaza resorts, and Hilton Hotel properties, alongside a number of independent hotels.

The unsecured server, which has an Elasticsearch database instance in Port 9200, allowed unrestricted access to security audit logs generated by Wazuh, an open-source intrusion detection system.

In total, 90 properties are listed publicly by Pyramid as clients, but the server found by vpnMentor appears to include data relating to 96 locations.

Marriott property Aloft Sarasota is one of many, and while the database does not contain clear names on each record, Tarrytown House Estate (New York), Carton House Luxury Hotel (Ireland), Aloft Hotels (Florida), and Temple Bar Hotel (Ireland) were all identifiable.

The unsecured database exposes a vast array of sensitive data belonging to the security systems of these properties. In total, 85.4GB of security audit logs were exposed. 

"From what we can see, it's possible to understand the naming convention used by the organization, their various domains and domain control, the database(s) used, and other important information leading to potential penetration," the researchers say. 

According to samples obtained by vpnMentor and viewed by ZDNet, the information exposed appears to stem back to April 19, 2019.

Information including server API keys and passwords, device names, IP addresses of incoming connections, firewall and open port data, malware alerts, restricted applications, login attempt records, application errors, and both brute-force attack detection and malware infection logs are all included.

In addition, vpnMentor says that data belonging to hotel employees, such as their full names and usernames, local PC names and addresses, server names and operating system details, cybersecurity policy details, and a variety of other cybersecurity-related information was all made available for public viewing.

"Most times, you get users' data that leaks," Hochstadt told ZDNet. "Here, one can argue that users' data wasn't leaking. But it is like saying "no-one forgot his wallet and no money was stolen" when the real fact is that, "the police left the evidence room open and the internal guidebook on all the undercover policeman names and addresses, and someone can now create huge damage with this data and steal a million wallets."

n other words, threat actors with access to the security logs would be able to understand the inner workings and security practices of the impacted properties, viewing locations in the same manner as internal security teams and potentially learning of vulnerable systems ripe for future attacks.

"This data leak is disclosing information that is private, secret, and would typically be for the eyes of an internal-team or MSSP only," vpnMentor says. "The irony is that what's being exposed is from a system that is meant to protect the company from such vulnerabilities."

Not only does such a leak expose clients to potential cybersecurity attacks, but to make matters worse, vpnMentor says that the physical security of hotels and their customers may have been placed at risk.

While investigating the database, the team also found data relating to multiple devices including hotel locks, in-room safes, and physical security management equipment.

"Especially in the wrong hands, this drives home the very real danger here of when cybersecurity flaws threaten real-world security," the cybersecurity firm noted.

Both vpnMentor and ZDNet reached out to Pyramid to inform the company of the exposed server on May 28, 2019.

Access to the database was closed shortly after Pyramid was made aware of the incident, but the company has not acknowledged their link to the server, nor responded to multiple requests for comment via phone and email prior to publication. 

This is not the first time that vpnMentor has discovered databases and servers left wide-open to the public due to the firm's web mapping activities. The company has previously disclosed a massive data breach impacting Chinese e-commerce firm Gearbest and an unprotected database which impacted up to 65 percent of US households. 


Continue reading

Why You Should Never Use Airport USB Charging Stations

Those oh-so-handy USB power charging stations in the airport may come with a cost you can’t see. Cybercriminals can modify those USB connections to install malware on your phone or download data without your united airlines charging station 750xx640 853 0 0knowledge.

“Plugging into a public USB port is kind of like finding a toothbrush on the side of the road and deciding to stick it in your mouth. You have no idea where that thing has been,” says Caleb Barlow, Vice President of X-Force Threat Intelligence at IBM Security.  “And remember that that USB port can pass data.”

It’s much safer to bring your regular charger along and plug it into a wall outlet or, alternatively, bring a portable power bank to recharge your phone when you’re low on bars.

If you insist on using public USB ports, Barlow recommends investing $10 for something called a" style="box-sizing: border-box; background-color: transparent; cursor: pointer; color: rgb(0, 56, 145); text-decoration: none; -webkit-tap-highlight-color: rgba(0, 0, 0, 0);">Juice-Jack Defender. “It's a little dongle you can put in front of your charging cord that basically blocks any data from passing down the cord. It only passes the voltage,” says Barlow.

While these precautions may seem excessive to the average traveler, Barlow says it’s smart to worry about public USB power stations. A growing number of nation-state hackers are now training their sights on travelers, according to new research from IBM Security. The 2019 IBM X-Force Threat Intelligence Index reveals that the transportation industry has become a priority target for cybercriminals as the second-most attacked industry — up from tenth in 2017. Since January 2018, 566 million records from the travel and transportation industry have been leaked or compromised in publicly reported breaches.

Barlow also advises steering clear of random tech accessories left behind by other travelers. “My favorite of which is a simple Apple charging cord,” he says.

“Let's say I’m a bad guy. I go into an airport. I’m not going to easily take apart the charging station but it’s easy just leave my cord behind. Now, if you see an Apple charging cord, you're likely to grab it or just plug into it. But inside this cord is an extra chip that deploys the malware, so it charges your phone but now I own your computer.”

You take a similar risk if you use any old USB stick you find lying around. “A lot of companies now are banning the use of USB storage devices because at the end of the day they're dangerous,” says Barlow. “If you want to get into a company, go buy a couple hundred USB sticks and cast them around in places where you know company will go. Guaranteed, one of them will get plugged into a company laptop.”




Continue reading

Redtail CRM data breach exposes personal client data

A data breach may have exposed personal client information that advisers store on Redtail Technology's client relationship management software, according to an email the fintech firm is sending to affected breach may 2019 2

The email, obtained by InvestmentNews, says the firm discovered on March 4 that its logging systems inadvertently captured a "small subset of the sensitive investor data" advisers keep on the CRM. The data were stored in a file that anyone on the internet could access.

Investor information in the file includes first and last names, physical addresses, dates of birth and Social Security numbers.

Redtail said in the email that it removed access to the file and launched an investigation as soon as it learned about the exposed data. But it said that remediation has been delayed because of the nature of the data, the format in which it was maintained and the time it takes to consolidate and correlate with Redtail's databases.

Redtail had to build specific applications to determine which clients' data was exposed. The company is emailing affected investors and offering free access to LifeLock Defender Preferred, a credit and identity theft monitoring and remediation product from Symantec.

"Less than 1% of Redtail clients were affected by this data exposure," Redtail CEO Brian McLaughlin said in an emailed statement. "We are taking this matter very seriously and are doubling down on our efforts to ensure that our customers' data is safe and secure."

Mr. McLaughlin also clarified there was no intentional break-in of Redtail's systems by a third-party. "It was a temporary exposure which Redtail uncovered and corrected," he said.

Redtail is one of the most popular CRMs among financial advisers. According to Technology Tools for Today's 2019 Software Survey, Redtail commands a 57% market share.


Resource taken from:

Continue reading

Businesses need to do more to protect personal data, users say

What in the world are you people hiding?

New research is showing that people believe exposing the secrets they hide on their digital devices would essentially destroy their lives. A privacy breach would mean financial ruin,kaspersky reputational damage, even losing friends, partners and family members.

A fifth believe they'd lose their jobs, as well. In 12 percent of cases, people have been shutting down social media accounts to stay safe.

The research was conducted by cybersecurity firm Kaspersky Lab. Four in ten argue that businesses should do more to safeguard their data from prying eyes, adding that the government isn't doing enough to support the businesses.

Just a third have strenghtened their passwords, and less than half have up-to-date security protection.

“We have become a society built upon digital secrets, with those secrets becoming commoditised and traded on the dark web. There is more that businesses can and should do to help protect their customers – including security solutions that significantly mitigate the risk of a successful attack on their systems, running fully updated software, performing regular security audits, performing penetration testing and ensuring that customer data is secure. However, there is also much that consumers can do to protect themselves. That includes strengthening their passwords and protecting all their devices,” comments David Emm, Principal Security Researcher at Kaspersky Lab.

Continue reading

This ransomware sneakily infects victims by disguising itself with anti-virus software

A successful family of ransomware which has been terrorising organisations around the world has been updated with a new trick to lure victims into installing file-locking malware: posing as anti-virus software.ransomware nov 2018

Dharma first emerged in 2016 and the ransomware has been responsible for a number of high-profile cyber incidents, including the takedown of a hospital network in Texas late last year.

The group behind Dharma regularly look to update their campaigns in order to ensure the attacks remain effective and they have the best chance of extorting ransom payments in exchange of decrypting locked networks and files of Windows systems.

Now the cyber attacks have evolved again and cyber security researchers at Trend Microhave detailed a new means of the Dharma being deployed: by bundling it inside a fake anti-virus software installation.

Like many ransomware campaigns, Dharma attacks start off with phishing emails. The messages claim to be from Microsoft and that the victim's Windows PC is 'at risk' and 'corrupted' following 'unusual behaviour', urging the user to 'update and verify' their anti-virus by accessing a download link.

If the user follows through, the ransomware retrieves two downloads: the Dharma ransomware payload and an old version of anti-virus software from cyber security company ESET.

When the self-extracting archive runs, Dharma begins encrypting files in the back round while the user is asked to follow installation instructions for ESET AV remover – the interface is displayed on their desktop and requires user interaction during the installation process, acting as a distraction from the malicious activity.

Once the installation is complete, the victim will find themselves confronted with a ransom note, demanding a cryptocurrency payment in exchange for unlocking the files.

"The article describes the well-known practice for malware to be bundled with legitimate application(s). In the specific case Trend Micro is documenting, an official and unmodified ESET AV Remover was used. However, any other application could be used this way," said an ESET statement, after being informed about the research by Trend Micro.

While not as high-profile as it was during the height of attacks like WannaCry and NotPetyain 2017, ransomware still remains a threat to organisations as attackers continue to develop and deploy new tactics and variants of the file-locking malware.

"As proven by the new samples of Dharma, many malicious actors are still trying to upgrade old threats and use new techniques. Ransomware remains a costly and versatile threat," said Raphael Centeno, security researcher at Trend Micro.

To avoid falling victim to Dharma and similar threats, researchers recommend that organisations adopt good cybersecurity hygiene such as securing email gateways, regularly backing up files and to keep systems and applications patched and updated.


Continue reading

Workplace Social Media Security: 5 Questions Answered

Social media use has skyrocketed for businesses all over the world, with many companies using it as a way of strengthening their brands and reaching out to new and existing customers.UsingFacebook

It’s clear that social media is likely to continue its popularity with businesses although, in an age where information security has never been such a pressing issue, there are still questions that need to be addressed.


Is social media really a threat to security?

The threat posed to security by social media is nothing new. 

One obvious threat is the potential for blurring the line separating personal information and company data, particularly when a user is using a social media account for both personal and work purposes.

This risk may be underestimated by workers as it can still be used as a portal into a company’s wider network.


So is social media a weak spot?

Potentially. The use of phishing to compromise email accounts has been well-documented, but they can take on a new dimension when combined with social media.

For example, if cybercriminals can compromise a LinkedIn account, they can potentially fool others on the network into thinking they are genuinely one of their coworkers, opening up the possibility of handing over sensitive information.


But if they don’t get that far, there’s nothing to worry about?

Not exactly. Social media output is a key component of a brand’s overall image. If a cybercriminal manages to compromise one of these channels it could prove damaging.


What can be done to make things better?

Setting up a rigid social media policy to protect company accounts is always a good a start.

A code of conduct for employees, as part of a wider cybersecurity program, can include the implementation of strong passwords, with weak logins such as 123456 still all too common.

Other potential points include monitoring engagement with brand mentions, offering guidance on how to spot malicious software, implementing two-factor authentication, and ensuring that only brand-approved content is shared.

Implementing a policy is particularly important for businesses operating more than one social media account, although it is equally important not to discourage employee participation as this will hinder the benefits these platforms bring.


Is it the employer’s responsibility to safeguard social media security?

Employers should always try to educate their workforce on the potential dangers of social media as best they can, but employees themselves need to remain vigilant.

Always ensure links come from trusted sources and keep track of what devices have access to your accounts, and utilize any available service that will notify you when a new login occurs.

Furthermore, workers shouldn’t risk leaving themselves vulnerable by posting potentially sensitive information on social media.


Resource taken from: 

Continue reading

U.S. Consumers' Security Habits Make Them Vulnerable to Fraud

Despite almost half of U.S. consumers (49 percent) believing their security habits make them vulnerable to information fraud or identity theft, 51 percent admit to reusing passwords/PINs across multiple accounts suchpassword 900 as email, computer log in, phone passcode, and bank accounts. That is according to Shred-it's Consumer Fraud Awareness Survey.

Consumers are not only putting their digital security at risk, but their habits toward physical information security also make them vulnerable to fraud or identity theft. While nearly two in 10 consumers (17 percent) are concerned that they could fall victim to a physical security breach, nearly three in 10 consumers (27 percent) admit they do not shred paper or physical documents containing sensitive information before throwing them away.

"The Consumer Fraud Awareness Survey demonstrates how today's consumers are becoming increasingly vulnerable to fraud or identity theft due to lax information security habits," said Monu Kalsi, Vice President, Shred-it. "With International Fraud Awareness Week on the horizon, this is an excellent time for information security leaders to share critical tips and advice with consumers on how they can improve their security habits to ensure they're better protected from a data breach."

Although consumers may be inadvertently putting their own information security at risk, the study also found they don't trust companies to keep their personal information safe. Forty-three percent of consumers believe the personal information they share with brands and companies today could be vulnerable to a security breach. With that, 40 percent say they would stop doing business with a brand or company if they previously suffered a security breach.

Additional findings from the survey include:
Consumers are unsure how to determine if they were victims of fraud and do not understand how to report and remediate fraud/identity theft.

  • More than one-third of consumers (39 percent) have been a victim of fraud or identity theft.
  • Nearly three in 10 consumers (27 percent) admit that they do not know how to find out if they've become a victim of fraud or identity theft.
  • When asked how they found out they were a victim of fraud, 33 percent found out by monitoring their own accounts for suspicious activity, 29 percent were alerted by a business about a security breach of their information and 24 percent discovered it by accident.
  • One in five consumers (20 percent) admit that if they became a victim of fraud, they would not know how to report and remediate it.

Consumers believe they can identify fraudulent emails or calls.

  • While the majority of consumers (72 percent) think they could determine if an email or phone call they receive is part of a fraudulent scam, 16 percent of consumers say they could not and another 12 percent of consumers don't know.
  • Baby Boomers (66 percent) are the least likely to believe they could determine if an email or phone call they receive is part of a fraudulent scam or not, compared to Gen Zs (72 percent) and Millennials (74 percent).

Consumers store paper documents containing sensitive information in risky ways.

  • Nearly 30 percent of consumers store paper documents containing sensitive, personal information in a box, desk drawer or unlocked cabinet at home or work.
  • More than one in five consumers (22 percent) admit to not storing or keeping paper documents containing sensitive information.

Baby Boomers have some of the safest information security habits, despite stereotypes suggesting otherwise.

  • Baby Boomers (47 percent) are the least likely to reuse passwords/PINs across multiple accounts such as email, computer log in, phone passcode and bank accounts, compared to Millennials (55 percent) and Gen Zs (61 percent).
  • Baby Boomers (26 percent) are the least likely to store paper documents containing sensitive, personal information in an unlocked cabinet at home or work, compared to Millennials (33 percent) and Gen Zs (31 percent).
  • Baby Boomers (80 percent) are more likely to shred paper or physical documents containing sensitive information before throwing them away, compared to Millennials (67 percent) and Gen Zs (69 percent).
  • More than nine in 10 (91 percent) Baby Boomers closely monitor their financial account activity such as bank statements, credit reports and credit card statements each week, compared to Millennials (85 percent) and Gen Zs (86 percent).


Continue reading

How cybercriminals hold data hostage... and why the best solution is often paying a ransom

Targets have included hospitals and municipalities, but the FBI says anyone on the internet should expect to be attacked by cybercriminalsransomware nov 2018

This past week Cleveland's airport began to recover from a computer attack that took down its flight information, baggage displays, and its email. The FBI says it was another ransomware attack on a sensitive government network. Ransomware locks up a victim's files until a ransom is paid. More and more, critical public service networks are the targets. Before Cleveland, the city governments of Newark, Atlanta and Sarasota were hit and San Francisco's transit authority; the Colorado Department of Transportation and the Port of San Diego. Today, 26 percent of cities and counties say they fend off an attack on their networks every hour. Perhaps even worse, dozens of hospitals have been held hostage across the country.

In January 2018, the night shift at Hancock Regional Hospital watched its computers crash with deepest apologies. The 100-bed facility in the suburbs of Indianapolis got its CEO, Steve Long, out of bed.

Steve Long: We had never been through this before. And it's something that I read in the journals. And I say, "Oh, those poor folks. I'm glad that's never going to happen to us." But when you come in and you see that the files on your computer have been renamed and all of the files were renamed either "we apologize for files" or "we're sorry." And there was a moment when I thought, "Well, maybe they're not so bad. They said they were sorry." But, in fact, they had encrypted every file that we had on our computers and on the network.

Long told 911 to divert emergency patients to a hospital 20 miles away. His staff turned to pen and paper. Nothing electronic could be trusted.

Steve Long: This is a ransomware, so this is a virus that has gotten into the computer system. "Would it have the ability to jump to a piece of clinical equipment? Could it jump to an IV pump? Could it jump to a ventilator? We needed a little time just to make sure about that."

But time was a luxury not offered in the ransom demand.

Steve Long: "Your network has been encrypted. If you would like to purchase the decryption keys, you have seven days to do so or your network files will be permanently deleted." And then it gave us the amount that we would need to pay to get that back.

Scott Pelley: And that came to?

Steve Long: About $55,000.

That was the same price demanded of the city of Leeds, Alabama, three weeks after Hancock Hospital. Mayor David Miller was surprised his town of 12,000 would be a target; not much to notice in Leeds, at least not since Charles Barkley graduated from the high school.

David Miller: I didn't know that this malware attack was actually a ransomware attack. As soon as we found that out, that took it to a little different level.

Scott Pelley: How do you mean?

David Miller: Well, it was going to cost us some money.

Like the hospital, the city of Leeds was cast back into the age of paper: no email, no access to its personnel files or financial systems.

Scott Pelley: Can all companies and local governments expect to be attacked?

Mike Christman: I think everyone should expect to be attacked.

The FBI's Mike Christman says cybercrooks know governments and hospitals are likely to pay because they can't afford not to. Until his recent promotion, Christman was in charge of the FBI's cybercrime unit.

Scott Pelley: You're waiting for the day that somebody says, "We have the 911 system held hostage in a major city and we need $10 million today"?

Mike Christman: I hope that day never comes, but I think we should prepare for that possibility.

Christman says in 2017, 1,700 successful ransomware attacks were reported but he figures that's less than half. Most businesses, he says, would rather pay than admit they were hacked.

Mike Christman: I'm aware of one ransomware variant that affected all 50 states that had some $30 million in losses, and over $6 million in ransom payments. I would tell you that the losses are very significant, and easily approach a hundred million dollars or more just in the United States.

That ransomware variant he's talking about is the one that held Hancock Hospital hostage. It's called "SamSam" after one of its file names. Experts told Steve Long "SamSam" is unbreakable.

Steve Long: There was nothing that we could do to unlock those files. Our only choice was to wipe the system and hope that we had backups or to purchase the decryption keys.  

Scott Pelley: To pay the ransom.

Steve Long: Indeed. That is exactly what that means.

Read more here:

Continue reading

Merger mania: Why consolidation in the RIA space is about to explode

The steady increase in merger and acquisition activity in the registered investment advisory space over the past six years might seem impressive to some, but for industry players like Ron Carson, the party is just RIA mergersgetting started.

"I used to say, we're at the first pitch of the first inning, regarding consolidation in the RIA space, but now I believe it's more like the game hasn't even started yet," said Mr. Carson, founder and CEO of Carson Group, an $8.4 billion firm that has made mergers and acquisitions a foundation of its growth strategy.

"In seven years or less, you will see a third less firms than we have today in this industry," he said.

Mr. Carson, who says he has 17 acquisition deals in the works, is not alone in his view of a rapidly consolidating financial planning industry. While an aging adviser population looking for an exit strategy is still believed to be one driver of M&A, experts say the desire for economies of scale and the availability of capital from private equity are also major factors. And although the rise and fall of the stock market will continue to affect M&A activity, few believe that it will have any long-lasting effect on the trend toward consolidation.

One reason is because so little consolidation of the industry has taken place.

"Despite the record-level M&A activity, there's still not a lot happening given the size of the industry," said David DeVoe, managing director at the investment bank DeVoe & Co.

In some ways, tracking M&A activity in the RIA space is more art than science, because most of the deals involve privately owned firms, and the data collectors each have their unique criteria for calculating market activity.

But regardless of how the data are measured, the trends illustrate steady M&A growth.

Mr. DeVoe's calculations of RIAs registered with the Securities and Exchange Commission with at least $100 million under management count 97 acquisitions last year out of 5,000 SEC-registered RIAs.

That total is up from 89 in 2017 and 36 deals in 2013, but is still just scratching the surface of pent up deal potential, according to Mr. DeVoe.

Deals are not only becoming more plentiful, they also are getting bigger.

Mr. DeVoe reports that $513 billion in assets under management changed hands last year.

The 10 largest transactions in 2018 constituted $391 billion in AUM, which was nearly 24% more than the $316 billion top 10 total of 2017, and more than five times the $69 billion top 10 total of 2016.

'Flood gates will open'

Despite all of the rosy numbers, Mr. DeVoe said M&A activity is still relatively small.

"We know the demographics for financial advisers are skewed toward the older end, and right now we're not seeing enough deal volume to just clear the retirement dynamic of this industry," Mr. DeVoe said. "We should be seeing 200 to 250 advisers selling their firms annually just for succession, and I think the flood gates will open over the next five-plus years."

The reasons for M&A activity have changed over the years.


"It used to be the vast majority of deals were done because somebody was exiting the industry, but over the past few years we're seeing more deals done to achieve scale and for strategic reasons beyond succession planning," Mr. DeVoe said.

A subdriver of M&A activity is the growing influence of private-equity investors that is fueling deal activity by taking ownership stakes in major consolidator firms like Carson Group, Mercer Advisors, Focus Financial and HighTower Advisors.

"Private equity has helped to accelerate the pace of consolidation, but it didn't create consolidation in the RIA space," said David Barton, vice chairman at Mercer Advisors, a $15 billion, PE-backed firm that made eight acquisitions in each of the past two years and has completed two deals already this year.

"It's a competition issue," he said. "Smaller firms realize the larger firms can offer more services in addition to investment management and financial planning, so for them it's 'build it or join it.'"

While Mr. Carson and Mr. Barton cite the benefits of PE support, the flip side is seen as sometimes short-term and overly aggressive money.

"Private equity in many cases is not patient money," said Tom Haught, founder of Sequoia Financial Group, a $5 billion firm that has made three acquisitions in the past two years without the help of PE money.

Scott Slater, vice president of practice management and consulting at Fidelity Clearing & Custody Solutions, believes the stock market is playing a part keeping a certain amount of M&A activity at bay.

"I don't think there's enough activity yet," he said. "I think a lot of owners still like what they're doing, but there are dynamics that could change. Look at the [independent broker-dealer] world where they are not as valuable as they used to be."

Mr. Slater recalls the peak-valuation period of 2007 leading into the financial crisis and thinks some advisory firm owners could be at risk of riding the seller's market a little too long.

Market volatility

Even though it might be easier to postpone succession planning when the equity markets are strong, Mr. Slater said evidence of the market's influence on deal activity popped up briefly during the 20% market correction at the end of last year.

"I do think we appear to be potentially at a time of peak valuations, and market volatility could drive more discussions," he said. "A good example is during the volatility of last year, more advisers were having more serious conversations about selling."

The main reason the bull market for stocks has driven up RIA valuations and put sellers in the driver's seat is that most advisory firm revenues are based on AUM.

A stock market pullback is seen as a potential disruptor to the pace of M&A activity, even if it's a temporary one.

"I think sellers can and have commanded better deals and better terms, and the stock market cycle has everything to do with it," said Peter Raimondi, an industry veteran who recently founded Dakota Wealth Management, a $700 million firm that has made three acquisitions in its first eight months.

Tables will turn

A down market cycle for stocks, he added, is where the tables will turn in favor of the buyers.

"You have RIAs who have not experienced what it's like to have profits disappear for any period of time," Mr. Raimondi said. "A bear market will shift this to a buyer's market because the RIAs will feel like they have to sell."

Kurt Miscinski, president and chief executive of Cerity Partners, believes a stock market slowdown could slow the pace of M&A activity, but he doesn't believe the larger trend is going away.

Cerity Partners is a $10 billion PE-backed firm that has made seven deals in the past 10 years.

"Acquisitions are a great way to bring together advisers and clients, and develop a geographic presence," he said. "We will continue to make acquisitions."

Good times or bad, a major consolidation driver will continue to be the pursuit of scale, according to Rush Benton, senior director of strategic wealth at Captrust, a $315 billion firm that he describes as "active as hell" in acquisitions.

"The sellers want to benefit from the scale of better technology, better senior management and better back-office support," he said, emphasizing that even succession-plan acquisitions typically involve the seller sticking around for three to five years after the deal is complete.

Read more here:



Continue reading

The Top Dollar Costs for Cybersecurity Breaches and What Independent Financial Advice Firms Should Do

Independent wealth management firms are notorious for talking a good game about cybersecurity while doing frighteningly little to protect sensitive client information. The bottom line is that those poor practices carry wealth mgt firms cybersecurityhidden risks, threatening the long-term strategic plans of otherwise successful independent broker-dealers and RIAs.

Recent research from multiple sources — including IBMthe Ponemon Institute, and Beacon Strategies — help fill in the gaps. Taken together, this material shows how wealth management teams vastly underestimate the true cost and consequences of cyber-attacks, that firms and their employees are far too lax on recommended protocols, and that they are in dire need of unified cybersecurity tools with a greater focus on the financial advice industry.


This revelation lays bare the rampant lack of preparedness for cyberattacks in the wealth management industry. It’s no exaggeration to say that many firms and their employees are literally waiting for a data breach to occur.

But the most surprising discovery is that so few of them realize they don’t have to be in that situation. Affordable, effective and efficient solutions do exist for the financial advice space. Of course, like anyone who wants to break a bad habit, the first step is admitting there’s a problem.

Beacon Strategies estimates that 74% of financial advisors already have been the target of cyberattacks, yet a whopping 64% of employees think cybersecurity is not a priority for their firm.

Additionally, leaders at many firms believe that allocating more time and resources to shoring up cybersecurity is unjustified since their firm has not (yet) suffered a data breach. This reveals a dangerous misunderstanding of what’s at stake.


No other industry has been as vulnerable to cyberattacks over the last two year as financial services, according to IBM. And the Ponemon Institute found that the average remediation cost per lost or stolen record in a data breach is $141, factoring in direct expenses such as engaging forensic experts and indirect expenses such as lost customers.

Now consider that a single-advisor practice with five employees may have as many as 400 client records. Basic math suggests that such a practice could lose over $56,000 due to a breach, a seven-advisor RIA with 10 support staff could face over $240,000 in losses and a broker-dealer with hundreds of advisors could lose millions.


A common theme among wealth management firms is lax adherence to protocols. Rules from FINRA, the SEC and assorted state regulators, such as those in New York and Massachusetts, ought to be non-negotiable since those entities have made cybersecurity a top concern.

But far too often overlooked are recommendations by the National Institute of Standards and Technology (NIST), a division of the U.S. Department of Commerce. The NIST voluntary framework entails best practices on how to identify cyber threats, detect gaps, protect against attacks, respond to them and recover when compromised. Although all those areas are important, “protection” is the heart of the framework.

According to NIST, “protection” involves distinct actions to ensure identity management and access control; cybersecurity awareness and training; risk-based strategies for maintaining the confidentiality and availability of information; rigorous processes and procedures; system maintenance; and audit logs.


The average wealth management firm uses more than 75 different software technologies and seven different software agents installed on their endpoints for IT and cybersecurity. That makes it cumbersome and time-consuming to protect sensitive data. Worse still, many of those tools were not designed for advice practices.

The Ponemon Institute says that the faster a data breach is spotted and put under control, the less burdensome its cost will be for firms. Beacon Strategies goes a step further and says that, for broker-dealers and RIAs, the best approach is avoiding unnecessary cyber incidents to begin with, namely by adopting a unified platform designed for independent advisory firms.

While it may be debatable which platform is best for every firm and every advisor, there should be no debate that now is the time to act, for both the sake of your business and the best interests of your clients.



Continue reading

7 Tips for Creating a Better Password

How strong is your password, really? Do you use the same one on a number of accounts? Or refer to your dog Fluffy in all of them? Chances are you could use a change.better password

About 73 percent of online accounts are guarded by duplicate passwords, according to a 2015 report by TeleSign, an internet security firm, and 54 percent of those surveyed use five or fewer passwords across their online accounts.

Meanwhile, just over 10 percent of consumers use one of the 25 worst passwords of 2016, according to SplashData, a provider of password management applications, which analyzed more than 5 million leaked passwords used by users in North America and Western Europe.

Topping the list of the worst passwords? 123456, password, 12345, 12345678, football and qwerty.

The problem with this is that our passwords are a key component of our lives, and as more of the services we rely on every day move online, the stakes grow ever higher.

It may seem overwhelming, but you can improve your internet security today with these seven tips.

1. Create Strong Passwords

What does that mean? Ideally, a password should be at least 10 to 15 characters and include a mix of lower case and capital letters, numbers and special characters such as @, $, or *. It should also be unrelated to any of your prior passwords.

Struggling to think of something? You can use a password generator (there are a number of free options available), or pick a short sentence or phrase to use as inspiration and replace certain letters with numbers or special characters. For example, you could channel Cookie Monster and go with, “W@nT~C0oK13$.”

2. Avoid Passwords Containing Info Easily Found Online

Part of having a strong password is not using information someone could easily (or even not-so-easily) figure out by checking out your social media accounts. That means if you constantly post about your cat, Fluffy, don’t make your password Fluffy_Lv3r.

Consider the whole extent of the information out there. While H@rRy*P0tt3r is generally a strong password, don’t use it if you are a member of a Harry Potter fan club or post quizzes to your page like “What Hogwarts House Would You be Sorted Into?”

The same goes for those account security questions you are sometimes asked to fill out. If your Facebook includes information on where you went to high school avoid the security question like, “What was your high school mascot?”

3. Use a Unique Password for Every Website or App

It may be super annoying, but sorry, you’ve got to do it. You need to have a different password for all your different accounts.

You might think a security breach at, say, LinkedIn doesn’t matter—they have your resume, so what? But if you use the same password, or even a similar one, for LinkedIn as you do for your bank account, or Facebook, or any number of other applications a hacker can soon find a way to wreak havoc in your financial and personal life.

Need help remembering all those passwords? There are a number of options for keeping track. You can download a password manager app, or if you don’t feel comfortable keeping that info in the cloud, you can also just create a document on your computer and encrypt that with a password. If you are more the pen-and-paper type, you can keep a list at home.

“In some scenarios, writing down passwords isn’t a terrible thing (it’s offline) provided you protect what you have written and where you store it,” said Whitney Hewatt, a lead security engineer at FINRA. “Certainly don’t store such things right next to any systems you use making it easy to find such lists.”

4. Avoid Linked Accounts

While we are on the subject, avoid linked accounts. What does that means? That means when you are new to a website and it says you can create a new account, or you can link the account to use your Facebook or Email log in, just create the new account instead.

“Sure, linked accounts are convenient,” Hewatt said. “But convenience comes at a cost.”

When you log in using another account, you are usually allowing that website to have some of your data, whether you realize it or not. That may be a privacy concern and may make identity theft easier. But beyond that, allowing one account to have access to others means that if the least secure account is hacked, the rest could also be compromised.

5. Use Multi-Factor Authentication

When possible, use multi-factor authentication, or two-factor authentication, particularly for your email accounts. Many e-mail providers now allow for this, including Gmail, Microsoft Mail and others.

“Protect your email accounts as best you can,” Hewatt said. “Enable this setting to provide an added layer of security where you authenticate and then have to use another validation process, such as a code sent by text or authenticating app to secure the logon process.”

You should do this whenever possible, but your email account is particularly important. Your email address is also where password resets are typically sent, so it’s imperative that you protect your email address in order to protect all other accounts. Not to mention how much other information a hacker could get from your email account: your address, possibly medical information or information on your financial accounts and utility accounts.

6. Beware Where You Enter Your Password

Be aware of possible risks such as using public kiosks and charging stations when logging on to any site or app you use. There may be malware or virus designed to capture any information you type on the machine.

“You never know who manages these systems or how securely they are configured,” said Hewatt.

The same goes for pubic Wi-Fi. Public Wi-Fi might be convenient and easy on your wallet as you look to avoid data overage charges from your cellular provider, but steer clear of entering your password into any website from a public network, be it at an airport or your favorite coffee shop, or in a college classroom or hotel room.

“Until better security solutions created, traffic on open networks can generally be discovered by anyone else on that network,” Hewatt said. “You are better off using cellular communications when possible,” he said.

And never change your password on a public network or a public machine.

7. Take Note When a Data Breach Occurs

If you hear about a possible data breach of a website or app you use, don’t just assume others were affected, but not you. Take steps to determine if your credentials have been stolen.

You can reach out to the company that was hacked, or use test sites to determine if your credentials were stolen. Have I Been Pwned is one option that tracks many of the known data breaches. You can enter a user name or email address to determine if one of your accounts is located on lists which have already been dumped to the internet for public download.

“This may not be your actual password, but a scrambled version of it that is easily deciphered by common tools” Hewatt said. “If you encounter this, change your password right away.”



Continue reading

Crackdown showdown: Serious Cybersecurity Enforcement is Coming in 2019, But Are Advisers Ready?

After spending most of a decade offering guidance and stern warnings, regulators are ready to put enforcement muscle behind cybersecurity rules.cybersecurity enforcement

A flurry of activity in 2018 at federal and state levels has many legal and security experts expecting 2019 to be a watershed year for holding firms accountable for clients' digital data. Penalties are coming for advisory firms that don't do enough to prevent a data breach or don't respond to a breach effectively.

The Securities and Exchange Commission is leading the charge. The agency took several actions in 2018 that should alert every adviser that any grace period in adopting data security controls has expired.

"The honeymoon phase is over," said Askari Foy, managing director of ACA Aponix's global regulatory cybersecurity practice and a former SEC associate director. "As they identify issues, they're less likely to be friendly, for lack of a better word. They tend to roll up their sleeves and really dig into the issues, particularly if they smell blood or sense potential harm to investors."

Voya troubles

No alarm rings louder than the SEC's Sept. 26, 2018, announcement that Voya Financial Advisors would pay $1 million to settle charges relating to a 2016 scam that compromised the personal information of thousands of customers. It was the first time the SEC enforced its "identity theft red flags rule," which has been on the books since 2013.

Even though Voya had a cybersecurity policy in place and responded to the breach within a matter of hours, it wasn't good enough for the SEC. The regulator said Voya's cybersecurity policies and procedures were out of date and failed to do enough to ensure they applied to the entire workforce of financial advisers.

This issue of scant policies or ineffective effort is common throughout the industry and it's exactly what the SEC wants to eliminate. For many advisers, cybersecurity is just another compliance procedure — put a policy in place, do some basic training, check off the box and move on to more pressing business issues.

"Firms have cybersecurity policies, they get one from an attorney or compliance firm. The policy looks great, but it doesn't actually reconcile to reality in any way," said Sid Yenamandra, CEO and co-founder of cybersecurity firm Entreda.

For example, the policy may say advisers can only access the firm's network using a secure connection such as a virtual private network, but there are no checks that the policy is actually followed, he said.

Entreda's experts, who have provided data protection software and training services to thousands of advisers, see a lot of lip service paid to cybersecurity.

"People talk about having a good cybersecurity policy, but who is actually implementing it? Our view on this entire issue is we tend to see there is a false sense of security that a lot of firms have," Mr. Yenamandra said.

These firms are more vulnerable to an attack, and this year they also could face stiff fines and censure. Regulators' gloves are off, and they are ready to crack down.

2018 warnings to heed

When the SEC first developed regulations regarding email communications, it gave firms a few years to acclimate to the new rules and get programs in place. As guidance became more detailed and rules more specific over time, that's when sanctions started coming. Regulators are following a similar pattern with cybersecurity, said Kim Peretti, co-chair of law firm Alston & Bird's national security and digital crimes practice and its cybersecurity preparedness and response team.

"Investment advisers and broker-dealers of all sizes may be under scrutiny and should expect more enforcement actions moving forward," she said. "For registered investment advisers and broker-dealers, the primary implication of this focus is that the SEC will continue to expect more mature cybersecurity programs that adapt to the changing threat environment and appropriately manage and communicate risks to investors."

The agency last year named cybersecurity as a priority in its examinations of investment advisers and brokers; asked Congress for an additional $52 million to expand personnel, including four people dedicated to cybersecurity; and issued new guidance on public companies' obligations to disclose cybersecurity risks and incidents, updating its previous guidance issued in 2011.

The SEC published a report last year detailing an investigation of nine undisclosed public companies that fell victim to cyberfraud and collectively lost nearly $100 million. Though no charges were filed, the report served as a stern warning to consider cybersecurity when implementing internal account controls and specified the exact rule — Section 13(b)(2)(B) of the Securities Exchange Act of 1934 — that holds firms accountable.

It isn't just the SEC getting tougher with cybersecurity. In August, the Financial Industry Regulatory Authority Inc. censured and fined a small broker-dealer $50,000 for having inadequate procedures for preventing hackers from transfering money from client accounts. In December, the self-regulatory organization updated its 2015 report on cybersecurity best practices for broker-dealers.

State regulators are making their own rules. Since New York issued rulesrequiring financial institutions to establish cybersecurity programs, the number of bills and proposals addressing cybersecurity at the state level has continued to grow. According to the National Conference of State Legislatures, 265 bills were introduced in 2018, up from 240 bills in 2017 and 104 in 2016. As of Nov. 6 (the latest data available), 52 of the bills proposed last year became law.

The increased activity provides a window into where regulators are focusing their energy and what future enforcement actions might involve.

For example, the SEC's February guidance on disclosure obligations and subsequent charges against Yahoo — $35 million for failing to disclose a cybersecurity breach — show how seriously the regulator wants firms to report data breaches. According to the New York Times, only 24 public companies (across all industries) reported breaches to the SEC in 2017, but researchers believe more than 4,000 breaches occurred.

The Voya charges reveal another common weakness, specifically for financial advisers. It's not enough to just have a cybersecurity plan in place. Regulators want to see firms continually testing, reviewing and updating cybersecurity policies and procedures to ensure they remain effective as threats evolve.

Business email

Another area of focus, as evidenced by the SEC's investigative report and Finra's updated best practices, is compromised business emails — an increasingly popular attack method in which hackers pose as corporate executives or third-party vendors and use emails to trick other employees.

"There's been an increasing focus on the nexus between cyberintrusion and cyberfraud," Ms. Peretti said.

Preventing harm due to phishing scams requires firms address human susceptibility to such scams in addition to the technology element itself, she said.

Finally, the Voya breach was caused by hackers impersonating an independent adviser and using the custodian's support line to reset passwords and gain access to the system, illustrating the vulnerability from third parties.

Regulators want advisers to have an inventory of everyone who can access their data, including both third-party technology vendors and independent contractors.

Where advisers can improve

The good news is that the financial services industry has done a pretty good job of adapting to new cybersecurity requirements, at least in comparison to other industries like retail, said Robert Cattanach, partner at law firm Dorsey & Whitney.

Where it's most often falling apart is with the smaller registered investment advisers and broker-dealers.

"Modest-sized companies lack the resources to really make good on their paper policies," Mr. Cattanach said. "Someone can gin up the right-sounding IT governance policies and procedures. But it's a whole additional step to make sure they are followed."

At smaller firms, there can be a sense of fatigue and helplessness when it comes to cybersecurity, because even the largest companies get hacked.

"There is this general feeling of, 'Holy cow, how can I, this little RIA out here, protect [against a breach] if these large institutions can't?'" said Wes Stallman, provider of cloud-based cybersecurity for advisers. "I do think that causes some frustration."

Experts said the adviser mindset should not be fixed on trying to safeguard data 100% because, with attacks always evolving, it's less of a matter of "if" and more of "when" there's a breach.

Regulators understand this, and really just want firms to have checks and balances in place to ensure they are doing the best they can to prevent breaches. More importantly, regulators want firms to have an up-to-date and battle-tested plan for an effective and timely response to a breach.

Finra's December update to its best practices includes a new appendix to help small firms adopt and implement cybersecurity controls. When used alongside Finra's previously released small firm cybersecurity checklist, it should give smaller advisers an effective guide to remaining compliant.

The bigger challenge is how to get all financial advisers to move beyond the lip service and actually realize that cybersecurity is something more important than another compliance chore. The key to that may lie in thinking of cybersecurity as a competitive advantage, Mr. Yenamandra said.

Clients are going to increasingly ask what advisers are doing to protect data, and firms that can give a satisfying answer will build trust with investors.

"Cybersecurity needs to be viewed as not only an operational risk but also a strategic function," he said.

Continue reading

Everything You Need to Know About Router Security to Avoid Getting Hacked by Cybercriminals

The bad news: most people don’t give a second thought to their routers.

This lack of know-how puts a lot of households in a dangerous position. The United States Computer Emergency Readiness Team (US-CERT) has issued an alert about Russian state-supported hackers carrying out router march 2019attacks against a large number of home routers in the U.S.

Some routers are inherently flawed and can never be fixed. To help beef up your router’s security, here are five tactics for protecting your home network, devices and files from hackers.

First, check your router's admin page

Before you start, make sure you can get into your router's administration console; this is where you manage your router's settings, including password management to firmware updates.

First, make sure your computer is connected (either wired or wirelessly) to your router, open a web browser and type in the router's IP address. The IP address is a set of numbers, and the default depends on your router's manufacturer. The common ones are, or

If you're don’t know your router's IP address or password, it’s on the internet

1. Select the best encryption

Criminals love unsecured home Wi-Fi networks. Securing your Wi-Fi network can also shield you from unwelcome connections that may be using your network for illegal activities.

This is why it's important to protect your Wi-Fi network with strong encryption. If you are required to enter a password to connect to your Wi-Fi, you already have some encryption enabled on your router.

There are different types of Wi-Fi encryption, and you have to make sure that it's the most secure one you can employ.

The most widely-used Wi-Fi security protocol right now is still Wi-Fi Protected Access 2 (WPA2) encryption. However, this standard is over a decade old, and it is already susceptible to serious security vulnerabilities like 2017's KRACK attack.

If you're shopping for a new router, look for one that supports the newest security standard called WPA3. These models have just started rolling out. Every router has a different menu layout, but you should be able to find encryption under the "Wireless" or "Security" menu. You'll have a number of encryption options: if you still have an older router, you want to select one that starts with "WPA2." If your router is not WPA3 compatible, then "WPA2-PSK AES" is your best option right now.

However, if you have older Wi-Fi gadgets, you might have to select the hybrid option "WPA2-PSK AES + WPA-PSK TKIP" to get them working.

Never choose Open (no security), or if it is using WEP, change the security setting immediately. An open network will make it easy for someone to steal your Wi-Fi, and the older WEP security is easily hacked.

If the only encryption options your router has are WEP or WPA, tell your router to check for a firmware update. Look in your manual for the instructions.

Don't have your manual anymore? Try ManualsLib or ManualsOnline, which both have hundreds of thousands of manuals, from routers to refrigerators to anything else you might need.

If there's no firmware update or your router updates but you're still stuck with WPA or WEP, it's time to buy a new router. These encryption methods are too unsafe to use, plus it means your router is probably more than 7 years old.

2. Pros set up an additional separate network

A great tactic is to put visitor devices on a separate network. You do this by setting up a completely different Wi-Fi router or enabling your router's "Guest Network" option, a popular feature for most routers.

Guest networks are meant for visitors to your home who might need a Wi-Fi internet connection, but you don't want them gaining access to the shared files and devices within your network.

This segregation will also work for your smart appliances, and it can shield your main devices from specific Internet-Of-Things attacks.

To avoid confusion with your primary network, set up your guest network with a different network name (SSID) and password. Please make sure you set up a strong and super-secure password on your guest network, as well. You still won't want crooks and strangers mooching off it for security reasons.

Newer routers do this segmentation automatically. With this feature, it allows users to put Internet-of-Things appliances on a separate network, shielding your central computers and other personal gadgets from attacks.

With this virtual zoning of your network, you can still allow all your smart appliances and hubs to communicate with each other while keeping your main computing gadgets safe in the event of an Internet-Of-Things attack.

Also, if you're worried about "wardrivers" or people roaming around looking for Wi-Fi spots to hack, you can disable the broadcasting of your network and your guest network's name (SSID) entirely.

3. Use the free parental controls

To shield your kids from inappropriate sites, most routers have built-in content filters, parental controls and time-based restrictions.

To enable these filters, visit your router's administrator page or app again and look for a section called "Parental Controls" or "Access Controls." Here, you can choose what type of sites to disable access to, set the schedule when the filters are in effect and set curfew hours for certain gadgets.

You can even set filters for specific IP and MAC addresses. The downside of this method is the inconvenience and it takes a bit of technical skill to pull this off. The good thing about this is that you'll have a map of all your connected gadgets and their corresponding IPs.

To take this a bit further, turn on MAC (Multimedia Access Control) filtering. With MAC filtering on, you can specify which MAC addresses will be allowed to connect to your network at certain times. Note: MAC addresses can usually be found in the gadget's settings, label or manual. Look for a set of 16 alphanumeric characters. (Here's an example of what a MAC address will look like: 00:15:96:FF:FE:12:34:56 )

4. Turn on the VPN

You have likely heard of a VPN (Virtual Private Network), which is an excellent way to boost your online security and privacy.

With a VPN, your gadget's IP address is hidden from websites and services that you visit, and you're able to browse anonymously. Web traffic is also encrypted, meaning not even your internet service provider can see your online activity. It is a good way to hide your internet tracks from would-be snoops.

VPN services are typically accessed via software, but some newer routers can be configured with VPN capabilities straight into the router itself. Instead of protecting each gadget protected with its own VPN service, your router will protect every connected device.

Routers with this capability have open source router software support (such as DD-WRT), and they can be configured to use services like OpenVPN.

Currently, there are a variety of open source and OpenVPN capable routers to choose from, but the most popular models are the Linksys AC3200 and the Netgear Nighthawk AC1900.

5. Turn on and test the firewall

One valuable tool that can protect your router from hackers is a firewall. With it, even if they manage to know your router's location and IP address, the firewall can keep them from accessing your system and your network.

Almost every newer router has built-in firewall protections in place. They might be labeled differently, but look for features under your router's advanced settings like NAT filtering, port forwarding, port filtering and services blocking.

With these controls, you can configure and specify your network's outgoing and incoming data ports and protect it from intrusions. Be careful when tweaking your port settings though, since a wrong port setting can leave your router vulnerable to port scanners, giving hackers an opportunity to slip past.

To check if your router's firewall and your ports are secure, you can use an online tool for a quick test.


Continue reading

12 Most Common Phishing Email Subject Lines Cyber Criminals Use to Fool You

The most common subject lines used in phishing emails targeting businesses show how cyber criminals are exploiting urgency, personalisation and pressure in order to trick victims into clicking on malicious links,phishing 3 2019downloading malware or otherwise surrendering confidential or sensitive corporate information.

Cyber criminals are well aware that people respond to dozens if not hundreds of emails a day – and this is reflected in the most common subject lines used when conducting business email compromise attacks.

After analyzing 360,000 phishing emails over a three-month period, researchers at cybersecurity company Barracuda Networks have detailed the most common lines used in phishing attacks – these subject lines are the most common because it's highly likely they're often the most successful bait for reeling in victims.

According to Barracuda's spear phishing report, by far the most common subject line used in attacks is simply 'Request' – accounting for over a third of all the phishing messages analysed. That's followed in popularity with messages containing 'Follow up' or 'Urgent/Important' in the subject line.

The simple trick attackers are using here is to make potential victims think they need to open and respond to the email as a matter of urgency – especially if the message is designed to look as if it comes from one of their colleagues, or their boss. That could nudge the victim into responding quickly, without thinking, especially if it claims to come from a board-level executive.

The top subject lines according to Barracuda analysis are based around the following key phrases:

  1. Request
  2. Follow up
  3. Urgent/Important
  4. Are you available?/Are you at your desk?
  5. Payment Status
  6. Hello
  7. Purchase
  8. Invoice Due
  9. Re:
  10. Direct Deposit
  11. Expenses
  12. Payroll

'Are you at your desk' uses the trick of familiarly to try and coax victims into falling for the attack, while subjects suggesting the email is part of a previous conversation are also used for a similar goal – to trick the user into trusting the sender.

Many of the most-used subject lines also refer to finance and payments; if the recipient thinks they might lose money if they don't respond, they'll likely jump to it. The same also goes for messages about payments – an employee might think it will look bad if they leave somebody without being paid, especially if the request comes from someone who is their senior.

"Increasingly the social element is becoming the key "attack vector" in cybersecurity attacks. In the past, attackers sent ransomware emails, which actually took over the computer and encrypted the files, asking for a ransom," Asaf Cidon, VP for content security at Barracuda Networks told ZDNet.

"But today, they don't even need to send ransomware. They can simply use social manipulation to get the recipient to send a ransom – which is far cheaper, more effective and harder to detect."

To avoid falling victim to phishing attacks, cybersecurity researchers recommend the implementation of DMARC authentication to avoid domain spoofing, along with the deployment of multi-factor authentication to provide users with an extra layer of protection. Those techniques should be combined with user training and the use of security software.


Continue reading

Massachusetts Public Defender System Hit with Ransomware Attack

The Massachusetts Committee for Public Counsel Services (CPCS) is in the process of restoring its systems from backups in the wake of a February ransomware attack. CPCS CIO Daniel Saroff says that the 5aa7983c1f0a6.imageorganization’s network was hit with both a Trojan and ransomware. The organization did not pay the ransom. The attack has caused attorneys who work through CPCS’s bar advocate program to miss a payday. A notice on the website as of Monday evening March 18, says “CPCS’s computer systems have been attacked and are not working properly. We are still representing clients. In addition, there is no evidence that confidential information from clients has been released as a result of these attacks.”

The Massachusetts public defender agency has been unable to access its IT network for weeks, following a cyber attack that forced the shutdown of its email service.

The Committee for Public Counsel Services suffered both a ransomware attack, in which hackers demand money to restore access to data, and a Trojan horse attack in which malicious software is installed on a network, CPCS Chief Information Officer Daniel Saroff told MassLive.

The committee, which employs staff attorneys but also manages the bar advocate program that assigns private lawyers to represent indigent criminal defendants, immediately shut down its servers to prevent further damage, Saroff said.

That has left CPCS unable to pay the bar advocates who handle 80 percent of the public defender caseload in Massachusetts, CPCS told MassLive. CPCS has since cleared the ransomware off its network and is gradually restoring its systems from backup data.

“The comptroller and the courts and executive branch and the legislature have all been extremely supportive of us," CPCS General Counsel Lisa Hewitt said.

CPCS refused to meet the payment demands made by the hackers, both because the committee had backups of its data and because complying with hackers can leave agencies vulnerable to future attacks, Saroff said.

The agency posted a notice on its website on Feb. 28 saying that its email service was down, but at that time did not publicly disclose the hack.

Saroff said that the organization has hired two consulting firms to assist in the recovery and harden its security. CPCS has not identified any data that was stolen, though that remains under investigation.

CPCS has contacted the Massachusetts Attorney General’s Office and the Office of Consumer Affairs and Business Regulation, as is standard protocol following a cyberattack, the committee told MassLive.

CPCS is working with the state comptroller’s office to speed payment to bar advocates, who have so far missed one payday.

“Our office is aware of this and we are reaching out to gather more information," a spokesperson for the Office of Attorney General Maura Healey said in a statement.



Continue reading

Wi-Fi 6: Is It Really That Much Faster?

Wi-Fi is about to get faster. That’s great news: faster internet is constantly in demand, especially as we consume more bandwidth-demanding apps, games, and videos with our laptops and phones.Wifi 6

But the next generation of Wi-Fi, known as Wi-Fi 6, isn’t just a simple speed boost. Its impact will be more nuanced, and we’re likely to see its benefits more and more over time.

This is less of a one-time speed increase and more of a future-facing upgrade designed to make sure our speeds don’t grind to a halt a few years down the road.

Wi-Fi 6 is just starting to arrive this year, and there’s a good chance it’ll be inside your next phone or laptop. Here’s what you should expect once it arrives.


Wi-Fi 6 is the next generation of Wi-Fi. It’ll still do the same basic thing — connect you to the internet — just with a bunch of additional technologies to make that happen more efficiently, speeding up connections in the process.


The short but incomplete answer: 9.6 Gbps. That’s up from 3.5 Gbps on Wi-Fi 5.

The real answer: both of those speeds are theoretical maximums that you’re unlikely to ever reach in real-world Wi-Fi use. And even if you could reach those speeds, it’s not clear that you’d need them. The typical download speed in the US is just 72 Mbps, or less than 1 percent of the theoretical maximum speed.

But the fact that Wi-Fi 6 has a much higher theoretical speed limit than its predecessor is still important. That 9.6 Gbps doesn’t have to go to a single computer. It can be split up across a whole network of devices. That means more potential speed for each device.


Instead of boosting the speed for individual devices, Wi-Fi 6 is all about improving the network when a bunch of devices are connected.

That’s an important goal, and it arrives at an important time: when Wi-Fi 5 came out, the average US household had about five Wi-Fi devices in it. Now, homes have nine Wi-Fi devices on average, and various firms have predicted we’ll hit 50 on average within several years.

Those added devices take a toll on your network. Your router can only communicate with so many devices at once, so the more gadgets demanding Wi-Fi, the more the network overall is going to slow down.

Wi-Fi 6 introduces some new technologies to help mitigate the issues that come with putting dozens of Wi-Fi devices on a single network. It lets routers communicate with more devices at once, lets routers send data to multiple devices in the same broadcast, and lets Wi-Fi devices schedule check-ins with the router. Together, those features should keep connections strong even as more and more devices start demanding data.


Unfortunately, there’s no easy answer here.

At first, Wi-Fi 6 connections aren’t likely to be substantially faster. A single Wi-Fi 6 laptop connected to a Wi-Fi 6 router may only be slightly faster than a single Wi-Fi 5 laptop connected to a Wi-Fi 5 router.

The story starts to change as more and more devices get added onto your network. Where current routers might start to get overwhelmed by requests from a multitude of devices, Wi-Fi 6 routers are designed to more effectively keep all those devices up to date with the data they need.

Each of those devices’ speeds won’t necessarily be faster than what they can reach today on a high-quality network, but they’re more likely to maintain those top speeds even in busier environments. You can imagine this being useful in a home where one person is streaming Netflix, another is playing a game, someone else is video chatting, and a whole bunch of smart gadgets — a door lock, temperature sensors, light switches, and so on — are all checking in at once.

The top speeds of those devices won’t necessarily be boosted, but the speeds you see in typical, daily use likely will get an upgrade.

Exactly how fast that upgrade is, though, will depend on how many devices are on your network and just how demanding those devices are.


You’ll need to buy new devices.

Wi-Fi generations rely on new hardware, not just software updates, so you’ll need to buy new phones, laptops, and so on to get the new version of Wi-Fi.

To be clear: this is not something you’ll want to run out to the store and buy a new laptop just to get. It’s not that game-changing of an update for any one device.

nstead, new devices will start coming with Wi-Fi 6 by default. As you replace your phone, laptop, and game consoles over the next five years, you’ll bring home new ones that include the latest version of Wi-Fi.

There is one thing you will have to make a point of going out and buying, though: a new router. If your router doesn’t support Wi-Fi 6, you won’t see any benefits, no matter how many Wi-Fi 6 devices you bring home. (You could actually see a benefit, though, connecting Wi-Fi 5 gadgets to a Wi-Fi 6 router, because the router may be capable of communicating with more devices at once.)

Again, this isn’t something worth rushing out and buying. But if your home is packed with Wi-Fi-connected smart devices, and things start to get sluggish in a couple years, a Wi-Fi 6 router may be able to meaningfully help.


There are two key technologies speeding up Wi-Fi 6 connections: MU-MIMO and OFDMA.

MU-MIMO, which stands for “multi-user, multiple input, multiple output,” is already in use in modern routers and devices, but Wi-Fi 6 upgrades it.

The technology allows a router to communicate with multiple devices at the same time, rather than broadcasting to one device, and then the next, and the next. Right now, MU-MIMO allows routers to communicate with four devices at a time. Wi-Fi 6 will allow devices to communicate with up to eight.

You can think of adding MU-MIMO connections like adding delivery trucks to a fleet, says Kevin Robinson, marketing leader for the Wi-Fi Alliance, an internationally backed tech-industry group that oversees the implementation of Wi-Fi. “You can send each of those trucks in different directions to different customers,” Robinson says. “Before, you had four trucks to fill with goods and send to four customers. With Wi-Fi 6, you now have eight trucks.”

The other new technology, OFDMA, which stands for “orthogonal frequency division multiple access,” allows one transmission to deliver data to multiple devices at once.

Extending the truck metaphor, Robinson says that OFDMA essentially allows one truck to carry goods to be delivered to multiple locations. “With OFDMA, the network can look at a truck, see ‘I’m only allocating 75 percent of that truck and this other customer is kind of on the way,’” and then fill up that remaining space with a delivery for the second customer, he says.

In practice, this is all used to get more out of every transmission that carries a Wi-Fi signal from a router to your device.


Another new technology in Wi-Fi 6 allows devices to plan out communications with a router, reducing the amount of time they need to keep their antennas powered on to transmit and search for signals. That means less drain on batteries and improved battery life in turn.

This is all possible because of a feature called Target Wake Time, which lets routers schedule check-in times with devices.

It isn’t going to be helpful across the board, though. Your laptop needs constant internet access, so it’s unlikely to make heavy use of this feature (except, perhaps, when it moves into a sleep state).

Instead, this feature is meant more for smaller, already low-power Wi-Fi devices that just need to update their status every now and then. (Think small sensors placed around a home to monitor things like leaks or smart home devices that sit unused most of the day.)


Last year, Wi-Fi started getting its biggest security update in a decade, with a new security protocol called WPA3. WPA3 makes it harder for hackers to crack passwords by constantly guessing them, and it makes some data less useful even if hackers manage to obtain it.

Current devices and routers can support WPA3, but it’s optional. For a Wi-Fi 6 device to receive certification from the Wi-Fi Alliance, WPA3 is required, so most Wi-Fi 6 devices are likely to include the stronger security once the certification program launches.


Devices supporting Wi-Fi 6 are just starting to trickle out. You can already buy Wi-Fi 6 routers, but so far, they’re expensive high-end devices. A handful of laptops include the new generation of Wi-Fi, too, but it’s not widespread just yet.

Wi-Fi 6 will start arriving on high-end phones this year, though. Qualcomm’s latest flagship processor, the Snapdragon 855, includes support for Wi-Fi 6, and it’s destined for the next wave of top-of-the-line phones. The Snapdragon 855’s inclusion doesn’t guarantee that a phone will have Wi-Fi 6, but it’s a good sign: Samsung’s Galaxy S10 is one of the first phones with the new processor, and it supports the newest generation of Wi-Fi.

The inclusion of Wi-Fi 6 is likely to become even more common next year. The Wi-Fi Alliance will launch its Wi-Fi 6 certification program this fall, which guarantees compatibility across Wi-Fi devices. Devices don’t need to pass that certification, but its launch will signify that the industry is ready for Wi-Fi 6’s arrival.


Continue reading