5 Cybersecurity Tips For Small and Medium Sized Businesses

by , on


Today, the attention of both IT and business managers in organizations of all sizes is fixed on cybersecurity. The reason is simple: Absolutely no organization is immune to cyber attacks in an ever-growing threat environment.

This is particularly true for SMBs. A recent major study of some 600 SMBs unearthed startling findings that more than half of them had experienced a cyber attack in the last year. The origins of the attacks are many and varied, with Web-based attacks, phishing and general malware topping the list.

Managers at small businesses cannot be blamed for feeling helpless against the threats at a time when huge corporations and even government agencies cannot protect themselves. But the truth is, a few simple, common sense tips can and will go a long way to protecting your small business from attacks that are inevitable.

  1. Deploy a comprehensive password management solution. This has to be high on the to-do list, if not at the top. Why? Because all your employees use passwords. And research shows that, left to their own devices, most employees will do a poor job of proper, effective password management, thus leaving themselves and the business open to attack.

For example, employees routinely use the same password for multiple online accounts. They also use simple easy to remember passwords that are very easy to hack.

Carefully chosen, a password management solution should provide IT and/or the business owner visibility into the password habits and practices of employees.  More importantly, the solution will help enforce correct password hygiene while improving employee productivity.

  1. Training is often the missing link. Cybersecurity awareness training is extremely effective in today’s threat environment. There is no excuse for omitting it in a small business because there are fewer employees to train. Training will educate employees on the most common vulnerabilities and attack points. Education should always carry a message of personal accountability so that everyone realizes they have a role to play in securing data and information assets.
  2. Cybersecurity is more than an IT issue. Security is more than just protecting computers and databases. It is about protecting the business. While one person should be responsible for security decisions, delegating cybersecurity in a small business to IT without company-wide support is often a mistake.

It is the business and financial leaders that know what data needs the most protection. Seen this way, cybersecurity is a risk management issue which IT can help address as part of a coalition of company leaders. Security should be tied to business objectives. All this and more is outside the usual purview of IT by itself.

  1. Data, data, who’s got the data? How can any business know if its data is safe if it doesn’t know where data resides and how it is stored? That is often the case today, where various third party and cloud providers store business data for their clients. Always ask, “Where will my data be hosted? Who has access to it? What monitoring is in place to alert me of a breach or unauthorized use? What safeguards are in place to protect me against potential rogue employees at your site?” Also carefully vet the provider’s data encryption policies and procedures. And be sure all your data is encrypted before it is stored in the cloud or anywhere online.
  2. Hackers take the path of least resistance. Often times the path of least resistance for hackers are employee-owned mobile devices. Don’t allow any unencrypted data on mobile phones, whether company-owned or BYOD. Device-based security policies, like those insisting the encryption be enabled at all times, can prevent illicit network access.

Remember: Solutions for complex security challenges don’t have to be complex.

Building a Strong Cybersecurity Posture with Personnel, Technology, and Education

by , on

Written by Guest Blogger, Patty Brogdon


When it comes to cyber threats, it is no longer sufficient to throw technology at the problem, as had been the practice a decade ago. Organizations today are increasingly aware that combining a multi-tiered approach to security is the best bet in keeping their critical assets protected against theft. Here are the top 3 initiatives to keep in mind while building your organization’s cybersecurity posture.


Hiring and retaining personnel skilled in cybersecurity is one of the top drivers for most organizations today.  In fact, C-Level IT executives reported that “security is among the top technology initiatives driving IT investment (29%), nearly equal with cloud computing (30%) and big data/business analytics (27%) according to the 2016 State of the CIO report from CIO.com.

Since the industry is predicting a shortage of IT security personnel, it is imperative that an organization focus their efforts on hiring the best and the brightest – but that may be a daunting feat. According to Computerworld’s 2016 IT Salary Survey there is a severe talent shortage: 23.2% of security pros (12.3% of all IT pros) said that they think the IT talent shortage is the biggest challenge facing the IT industry. Taking steps now to focus on attracting and hiring the best security personnel could go a long way in helping your security efforts down the road. And once you attract that top talent, be sure to pay them a salary commensurate with what the industry is paying.


Technology in the security space is one of the fastest growing sectors, as new technology is constantly being pushed out to address the latest threat. But be careful here – you don’t want a “patch-work quilt” for your cybersecurity posture; i.e., don’t just throw technology at a problem, make sure that you take a holistic approach to the technology you deploy.

For example, upgrading your traditional firewall with a Next Generation Firewall (NGFW) that has IDS/IPS, malware detection, and sandboxing might be a more strategic move than adding additional equipment to do those functions.


Educating your employees on security best practices is vital to the health of your organization’s security posture. Yet, most organizations do not have programs and training in place to educate employees on a consistent basis. This can (and does) have dire consequences.

Phishing attacks, where a hacker disguises themselves in an email designed to look legit, enticing a user to click on a link that contains malware, are numerous. And, they aren’t going away any time soon – simply because they work so well. According to the Ponemon Institute’s 2016 State of Cybersecurity in Small & Medium-Sized Businesses (SMB), phishing/social engineering (43 percent of respondents) were the most common type of cyberattack.

Educating employees and users on password best practices is another significant way you can protect your organization from malicious intruders. According to Verizon’s 2016 Data Breach Investigations Report (DBIR), “63% of confirmed data breaches involved exploiting weak, stolen or default passwords.” It is easy to see why – most users are so overwhelmed by the many passwords they must keep track of on a daily basis, they choose something simple that they can remember. And simple means hackable.

While educating users on proper password hygiene is a must, you can supplement this education and training with a password management solution.  Password management solutions can help to enforce password policies, improve employee productivity and overall enhance your businesses security posture.

10 Reasons Why Password Management Is Essential for Any Size Business

by , on


Password management software is great for consumers, but why is it essential for businesses?  The answer is simple. Knowing that a single breach of a corporate network can have consequences that affect the entire business and everyone who works for it means password management is more important today than it’s ever been.

Password management software stores passwords securely so users don’t have to worry about remembering them. Here are 10 reasons why every business should make this software part of its security toolkit.

  1. People won’t use strong passwords voluntarily.

No one likes to create new passwords, so people tend to go with simple options that are easy to remember. Unfortunately, that also makes them easy to guess. Today’s password-cracking software quickly cycles through common patterns and can even be customized to incorporate known information about the user. Passwords that were considered secure five years ago are easy targets today.

  1. People aren’t good at creating strong passwords.

A password isn’t considered secure unless it is at least 12 characters long and contains a random combination of numbers, symbols, uppercase letters and lowercase letters. Few people have the patience or skill to create unique passwords of that complexity for each account, particularly if they have to memorize them. Password managers have algorithms that automatically generate secure passwords and store them securely so users don’t have to remember.

  1. People use the same passwords repeatedly.

This is an understandable but also a dangerous practice. No one can remember dozens of unique passwords, so people tend to use the same ones again and again. That can be catastrophic in a business environment. It means that a single password compromise can open the gates for intruders to log on to multiple services, stealing information from each one along the way. Using a password management program ensures that users can easily apply different passwords to each service thus limiting the damage should any one of them be compromised.  In addition, password management solutions can monitor password usage and alert management and the employee when good password hygiene is not being practiced.

  1. Lost passwords are a major time sink for help desks.

Experts recommend against storing passwords in unencrypted files or on paper notes, which means that users must commit them to memory. Not surprisingly, people forget. That’s why Gartner has estimated that up to 50% of helpdesk calls are for password resets at some companies, with an average cost-per-reset of about $70, according to Forrester Research. You can imagine how quickly those costs add up.

  1. Password changes are easily recorded.

Many online services ask their customers to regularly change their passwords. This is a sound security practice. Unfortunately, it also creates the need for users to note those new passwords somewhere. Some will invariably fall through the cracks. Password managers help employees manage password changes and updates.

  1. Browser-based password management isn’t secure.

Most browsers today have a built-in basic function that offers to remember passwords. The problem is that browser-based solutions typically don’t have a strong focus on security. Without a password management policy, many users will default to using whatever the browser offers, leaving their credentials effectively out in the open.

  1. Password managers protect against phishing attacks.

Phishing attacks are one of the most effective ways cyber criminals steal login credentials. Phishing emails that appear to come from legitimate services, but that actually direct recipients to bogus login screens that are set up solely to capturing their passwords. Most people are prone to phishing attacks, but password managers aren’t. If the domain name doesn’t match the record within the password manager, it won’t serve up a password.

  1. Password managers can sync to the cloud.

People need to login to services from a wide range of devices, including desktop computers, phones, tablets and even public computers. There is no reliable, convenient or secure way to carry around those credentials other than by using password manager. Quality products provide apps for all major mobile platforms as well as desktop and website access.

  1. They support multi-factor authentication.

Two-factor authentication (2FA) requires users to supplement passwords with a second form of identity, such as the answer to a challenge question or a PIN code sent to their phone. Leading password managers provide various two-factor authentication methods, which will add an extra layer of protection for everything stored in your password manager.

  1. You can monitor compliance and spot problems.

The best password policies in the world are of no use if people ignore them. Enterprise password management systems give IT departments visibility into their employee’s’ password practices so administrators can identify and resolve non-compliant behavior. A single compromised password can lead to disaster. With audit and reporting controls, that need never happen.

Consider how many of these scenarios apply to your business.

4 Best Practices to Strengthen Security Through Employee Awareness and Education

by , on

4 Best Practices

Security managers clearly understand the consequences of poor information security practices, but they often find it difficult to change employee behavior.  Employees typically see security as a nuisance and as a result take the path of least resistance.

Making security a top of mind issue for employees involves a combination of education and behavior modeling. Here are some approaches you can use to raise awareness.

  1. The media reports on major breaches almost daily. Make sure your employees see these reports and understand the consequences of poor security practices. Publish a regular email newsletter listing the most recent incidents and include advice on good security practices.
  2. Communicate the importance of security in as many vehicles and as many times as possible. Send a quarterly reminder under the name of your CEO or CIO. Post best practices and lists of the worst passwords in common areas like coffee stations and near restrooms.
  3. Top executives set the standards for their organizations, so make sure they are on board with your security awareness initiatives. Annual reports and meetings on the health of the business should include updates on the company’s security progress. Ask top executives to kick off your security seminars.
  4. You should consider rewarding employees who attend security training, change passwords when requested, and share news and advice on your intranet. Financial rewards are not necessary; a simple certificate or newsletter recognition is enough.

Security Update for Keeper Browser Extension

by , on

by Craig Lurey, CTO at Keeper Security, Inc. – August 26, 2016

Keeper holds the security of our customers and their data as our highest priority.  To mitigate the possibility of an online clickjacking attack during a browser session, we have updated our Keeper Browser extension.  We have made two security enhancements based on the analysis provided by Tavis Ormandy, a highly-respected security analyst at Google.

Yesterday, we received a report regarding this potential security risk.  It related to a security threat that could potentially be exploited by a clickjacking attack using an on-page feature of the browser extension.  In this scenario, a malicious website with intent to attack the extension could entice a user to click on the Keeper lock icon and take advantage of our “Search” feature with the goal of attempting to extract a credential from the vault.

We immediately addressed and resolved this potential vulnerability by removing the “Search” and “Add to Existing Record” features from the on-page browser extension user interface as seen below:

sign in

Removing the Search feature


add to existing

Removing the “Add to Existing Record” feature


This change has been published on the Chrome, Firefox, Safari and IE extension and will automatically update for all users.

If you have any questions about this extension update, please contact support@keepersecurity.com.

8 Most Common Password Mistakes to Avoid

by , on

keeper blog

A friend recently told me a scary story about why he changed the password on his account with one of the leading online securities trading firms. He was perusing his six-figure portfolio when it occurred to him that he hadn’t changed his password a while. Quite a while, it turned out; about nine years.

He was further dismayed to realize that the password he had been using all that time –the name of a beloved pet followed by a single number – could probably be guessed by anyone who followed him on social media. For a sophisticated password cracking program, guessing it would be a layup.

Surprisingly, many online services don’t regularly challenge customers to change their passwords, despite the fact that password-cracking technology has advanced by leaps and bounds. Bad guys now follow their victims on social networks to mine keywords that they feed into malicious programs that use machine intelligence to test variations until the door is unlocked. A small fortune may be protected by the cyber security equivalent of tin foil.

No one likes passwords, but they are more important than ever these days. And the ones that worked for you five years ago are probably useless today. If your money, health records or any other personally identifiable information (PII) is at stake, you owe it to yourself to use a secure, random code that a machine can’t guess. As you go about resetting your passwords, avoid these eight common mistakes.

  1. Using the same password everywhere

The easiest way to remember a password is to use only one, but that’s also the fastest route to disaster. Once a successful phishing attack captures that password – and studies have found that as many as 97% of people can’t detect a phishing email – the attacker essentially has the keys to the kingdom. While it’s probably okay to use the same password for sites that don’t store any PII, you should use different and secure passwords in any situation where your identity or financial information could be compromised.

  1. Varying passwords with a single character

This is a trap many people fall into when asked to change their passwords; they comply by changing a “12” to a “13.” Password-guessing programs are wise to this trick and can sniff it out in seconds.

A variation of this dangerous practice is to include a non-alphanumeric character by tacking “!” onto the end of your existing password. That’s the oldest dodge in the book, and password crackers are wise to it. Non-alphanumeric characters should be used within the password, not at either end.

  1. Using personal information in passwords

Avoid using names of relatives, celebrities, sports teams, pet or any other common terms in your passwords. Cracking software automatically looks for the most common combinations like Yoda123. Don’t think that you can protect yourself by invoking personal information like the name of a loved one or your high school mascot. Social networks make it straightforward for crooks to harvest that information.

You also shouldn’t assume that adding a string of characters to a common name is protection enough. Password crackers know this trick and cycle through combinations of common names and numbers until they hit the right one. The only safe password is one with random – or seemingly random – sets of characters.

  1. Sharing passwords with others

You might have the strongest password in the world, but if you share it with someone who stores it in an email account protected by “qwerty,” it won’t make a bit of difference. Your passwords are for your eyes only.

  1. Using passwords that are too short

A decade ago, a five- or six-character password was enough to beat most cracking programs, but computers are so much faster now that a six-character password can be guessed by a brute-force attack. Think 12 characters at a minimum.

  1. Storing passwords in plain text

One easy way to remember passwords is to store them in a spreadsheet or mail them to yourself. Bad idea. Have you heard of ransomware? It’s the fastest-growing category of malware. Criminals hold your data hostage until you pay them a ransom. In the meantime, they scour your hard drive looking for anything that resembles a password list. Once they find it, the ransom payment is the least of your problems.

  1. Using recognizable keystroke patterns

“1qaz2wsx” may seem like a pretty tough password to guess until you look at your keyboard and notice the pattern. A random series of letters and numbers must be truly random to have a chance.

  1. Substituting numbers for letters

This used to be an effective technique, but “Spr1ngst33n” doesn’t survive a determined attack any more. The software is on to that trick.

Your best bet is to use a password manager protected by strong encryption. The best ones generate secure passwords for you and give you total protection with two-factor authentication.

Keeper for DevOps: More Than Just Passwords

by , on

By Craig Lurey, CTO & Co-founder of Keeper Security

Keeper is awesome for DevOps teams. Back when we first created Keeper, our goal was to build a digital vault that was ultra secure but also easy to access and use. Website passwords are just one of many types of sensitive information that Keeper can protect.

Unlike other password managers, Keeper is focused on the secure storage and management of all types of private, highly sensitive data – passwords, SSH keys, SSL Certificates, RSA Keys, server logins, confidential notes, top secret files/photos/videos and anything else you need to protect.

We offer a few different ways of storing content outside of Usernames and Passwords. You can use Custom Fields, File Attachments and Secure Notes.

Keeper Custom Fields


Custom Fields

Custom fields is a powerful feature to save information into your Keeper vault without being forced into using a predefined template. Just add a custom field, name it (or select from a previously used field) and save it.  For example, you could create a custom field on-the-fly called “AWS Access Key” and “AWS Secret Key” to store your Amazon AWS credentials.  You can also create custom fields that contain all of the complex command-line utilities that you and your DevOps team utilize.

Keeper Custom Fields


File Attachments

Another way to store information into the Keeper Vault is using the Secure File Storage feature.  Simply drag-and-drop an SSH Key or certificate file into the record on your Desktop App or Web App. Keeper instantly encrypts the file and stores it in your vault. It is then synced to your other devices and computers with complete end-to-end encryption.

Screen Shot 2016-08-12 at 7.01.51 AM

Screen Shot 2016-08-12 at 7.02.09 AM


Secure Notes

It’s quick and easy to create a record in your vault and add text notes.  For example, you can add a note with instructions on how to login to a server remotely or other multi-line content that is too sensitive to be checked into a source code repository.

Screen Shot 2016-08-12 at 7.13.18 AM


Sharing Private Keys

Within a DevOps team, it’s important to be able to share private keys and other access credentials with the highest levels of security but with convenient, on-demand access. Keeper can be used to securely and easily share confidential data.  When you share information from within the Keeper system, your information is protected by the highest level of encryption and an impenetrable zero-knowledge architecture.   

Screen Shot 2016-08-12 at 7.02.30 AM


Simply click on the “Share” button from your Keeper vault record and type in the Keeper email address of the person you are sharing with. If you are a Keeper Business customer, you can also share to an entire team with one click.  Full access rights (view, edit, share) can be assigned per-user or per-team.

Screen Shot 2016-08-12 at 7.02.52 AM

It’s also really easy to add vault records into a shared folder.  Shared folders give teams the flexibility to just add a record into a folder and everyone receives it instantly and securely.

Screen Shot 2016-08-12 at 7.03.42 AM


Zero Knowledge Security

Keeper is the only zero-knowledge solution in the industry.  This means that we do not have access to ANY of your data, the encryption keys that decrypt your data, your files, or your master password.  It’s critical that you use a zero-knowledge platform to store data which could cause irreparable harm to your business or personal life.

Zero Knowledge is a system architecture that guarantees the highest levels of security and privacy by adhering to the following principles:

  1. Data is encrypted and decrypted at the device level (not on the server)
  2. The application never stores plain text (human readable) data
  3. The server never receives data in plain text
  4. No employee or intermediary can view the unencrypted data
  5. The keys to decrypt and encrypt data are derived from the user’s master password
  6. Multi-Layer encryption provides access control at the user, group and admin level
  7. Sharing of data uses Public Key Cryptography for secure key distribution

Data is encrypted on the user’s device before it is transmitted and stored in Keeper’s digital vault. When data is synchronized to another device, the data remains encrypted until it is decrypted on the other device.

Keeper is the most secure, certified, tested and audited password management and digital vault in the world. We are the only SOC2 certified password management solution in the industry and certified by TRUSTe for online privacy. Not only do we implement the most secure levels of encryption, we also adhere to very strict internal practices that are continually audited by third parties to help ensure that we continue to develop secure software.  Detailed information about our Zero-Knowledge security platform can be found at https://keepersecurity.com/security.html.

New Release Available for Download: Keeper for Desktop V10

by , on


Keeper’s engineering teams are working around the clock to provide you with the strongest experience on all major platforms and devices. Today, we’re excited to bring you the latest version of Keeper Desktop.

Keeper Desktop is a cross-platform password manager and digital vault providing encrypted storage and seamless cloud synchronization on Windows, Mac and Linux.  

This new version delivers:

  • UI refinements and enhancements
  • Performance enhancements including faster login, searching and syncing
  • Support for multi-select drag and drop for shared folders
  • Support for Keeper Business enforcements including, master password strength and expiration, mandatory two-factor authentication and cloud backup

Download Keeper Desktop 10 Now

The Keeper 10 Quick Start Guide can be found here

Please contact our support team at support@keepersecurity.com if you have questions.

Protect and Preserve Your Family Legacy with the Keeper Family Plan

by , on

In an increasingly digital world, families everywhere struggle to keep track of passwords, files, documents and other sensitive information. Families share nearly everything – files, photos, videos, Internet accounts, security system codes and personal identification numbers.

Reusing simple, easy-to-remember passwords is a huge problem. In fact, more than 60% of cyber breaches occur due to weak or stolen passwords. Hackers target young adults to the elderly, stealing their identities, money and digital assets.


Introducing the Keeper Family Plan

You can now protect your whole family (up to 5 people) for one low price of $59.99/yr. Keeper Family Plan secures passwords, private files, photos and videos and lets you securely store and share these between family members with ease.


Keeper Family Plan includes the following benefits:

  • Up to 5 users with private vaults
  • Unlimited password storage
  • Unlimited devices + sync
  • Unlimited secure cloud backup
  • Unlimited secure record sharing
  • 10GB Secure File Storage
  • Fingerprint login
  • Web app
  • 24/7 support


Upgrading your existing Free or Paid plan is quick and easy – Sign Up Now!

Customer Survey: Keeper for Business Takes Less Than an Hour to Deploy (Infographic)

by , on

The effectiveness of security technology depends on whether it’s being adopted by users, yet it’s rare to see a security solution that offers a fast time-to-security and ease of use. We surveyed a variety of Keeper for Business customers and found that on average, Keeper for Business takes less than an hour to deploy.


See the infographic below (click to expand):

Keeper Deployment Infographic


Learn more about Keeper for business at https://keepersecurity.com/business