Friday, May 18, 2018

You're Fired! Now Give Me Your Password

 
 

"You're FIRED!" ( now give me your password)

Losing an employee is not usually a good experience. If they leave voluntarily, you lose a valuable asset. If they have to be fired, you have the arduous task of the progressive discipline process and the final termination meeting. But there are other concerns that arise when an employee leaves. Those concerns are security and their access to company data.

 
Here are some considerations regarding passwords and voluntary termination (A.K.A. resigned) or involuntary termination (A.K.A. fired.) It is important you have a process in place so that whenever a termination occurs, nothing slips through the cracks regarding corporate data security.
  1. When you dismiss an employee, you should immediately change out all passwords for anything the employee had access to. Because almost all terminations should be planned, you should also define the process for canceling access. It is unwise to cancel prior to the termination meeting. If you do that, you create the potential for a confrontation when they arrive at work and find their passwords have been disabled. Instead, plan ahead and assign someone to disable their passwords during the time you are having the termination meeting. Before the meeting, be sure you have a list of all access cards, keys, etc. prepared so they can be cancelled before the employee leaves the building.
  2. Voluntary terminations ­- Different firms have different policies handling resignations. Depending on the specific position, an employee will be permitted to continue working during their 2 week notice period. In that case, you need to consider if there is any possibility the employee might get up to no good during the final days. That is something only you can judge.
In some cases, firms will ask an employee to leave the facility immediately. In that case, you need to have a plan in place. You need to have a list available of all of the restricted systems to which they have access for when this situation arises. The employee should not leave the building until all of their access has been canceled.

This all may seem a bit harsh, but things have changed. 30 years ago, for a disgruntled employee to steal files, they'd be carrying out large boxes of file folders. Now, not only can they empty the building onto a thumb drive, they can take nefarious action that wasn't possible when data was stored on paper.

Friday, May 11, 2018

IT Defense in Depth Part II

 
 

Defense in Depth Part II

In our last blog we started talking about the different layers of security necessary to fully defend your data and business integrity. Today we will look at the human aspect of it, and network defenses. The human layer refers to the activities that your employees perform. 95% of security incidences involve human error. Ashley Schwartau of The Security Awareness Company says the two biggest mistakes a company can make are "assuming their employees know internal security policies: and "assuming their employees care enough to follow policy".

 
Here are some ways Hackers exploit human foibles:
  • Guessing or brute-force solving passwords
  • Tricking employees to open compromised emails or visit compromised websites
  • Tricking employees to divulge sensitive information
 

For the human layer, you need to:

  • Enforce mandatory password changes every 30 to 60 days, or after you lose an employee
  • Train your employees on best practices every 6 months
  • Provide incentives for security conscious behavior.
  • Distribute sensitive information on a need to know basis
  • Require two or more individuals to sign off on any transfers of funds,
  • Watch for suspicious behavior
 

The network layer refers to software attacks delivered online. This is by far the most common vector for attacks, affecting 61% of businesses last year. There are many types of malware: some will spy on you, some will siphon off funds, some will lock away your files.

However, they are all transmitted in the same way:

  • Spam emails or compromised sites
  • "Drive by" downloads, etc.
 

To protect against malware

  • Don't use business devices on an unsecured network.
  • Don't allow foreign devices to access your wifi network.
  • Use firewalls to protect your network
  • Make your sure your Wi­Fi network is encrypted.
  • Use antivirus software and keep it updated. Although it is not the be all, end all of security, it will protect you from the most common viruses and help you to notice irregularities
  • Use programs that detect suspicious software behavior
 

The mobile layer refers to the mobile devices used by you and your employees. Security consciousness for mobile devices often lags behind consciousness about security on other platforms, which is why there 11.6 million infected devices at any given moment.

There are several common vectors for compromising mobile devices

  • Traditional malware
  • Malicious apps
  • Network threats
 

To protect your mobile devices you can:

  • Use secure passwords
  • Use encryption
  • Use reputable security apps
  • Enable remote wipe options.
 
Just as each line of defense would have been useless without an HQ to move forces to where they were needed most, IT defense-in-depth policy needs to have a single person, able to monitor each layer for suspicious activity and respond accordingly.


    Friday, May 4, 2018

    IT Defense In Depth Part I

     
     
    In the 1930s, France built a trench network called the Maginot Line to rebuff any invasion. The philosophy was simple: if you map out all the places an enemy can attack, and lay down a lot of men and fortifications at those places, you can rebuff any attack. The problem is, you can't map every possible avenue for attack.
     
    What does this have to do with IT security? Today many business owners install an antivirus program as their Maginot Line and call it a day. However there are many ways to get into a network that circumvent antivirus software.
     
    Hackers are creating viruses faster than antivirus programs can recognise them (about 100,000 new virus types are released daily), and professional cybercriminals will often test their creations against all commercially available platforms before releasing them onto the net.
     
    Even if you had a perfect anti­virus program that could detect and stop every single threat, there are many attacks that circumvent anti­virus programs entirely. For example, if a hacker can get an employee to click on a compromised email or website, or "brute force guess" a weak password, all the antivirus software in the world won't help you.
     
    There several vulnerabilities a hacker can target: the physical layer, the human layer, the network layer, and the mobile layer. You need a defense plan that will allow you to quickly notice and respond to breaches at each level.
     
    The physical layer refers to the computers and devices that you have in your office. This is the easiest layer to defend, but is exploited surprisingly often.
     
    Here are a few examples:
    • Last year 60% of California businesses reported a stolen smartphone and 43% reported losing a tablet with sensitive information.
    • The breaches perpetrated by Chelsea Manning and Edward Snowden occurred because they were able to access devices with sensitive information.
    • For example, Comptia left 200 USB devices in front of various public spaces across the country to see if people would pick a strange device and insert into their work or personal computers. 17% fell for it.
    For the physical layer, you need to:
    • Keep all computers and devices under the supervision of an employee or locked away at all times.
    • Only let authorized employees use your devices
    • Do not plug in any unknown USB devices.
    • Destroy obsolete hard drives before throwing them out
    Next time in Part II, we will talk about the human and network layers of security.

    Friday, April 27, 2018

    Data Security: A People Problem

     
     

    Phishing Scams – A People Problem

    There are some things that only people can fix. There are many security risks to which your data is susceptible, but there is one method that remains a wonderfully effective hacking tool. That is the phishing scam. This is a legitimate looking email that asks the reader to click on a link. If clicked, the link can infect the user’s computer with malicious software that can steal passwords, logins, and other critical data. Alternatively, the email appears to be from a legitimate source, perhaps even duplicating a legitimate webpage. The distinction is that the phishing email asks the user to enter personal information, including passcodes. In either case, that is how hackers easily get into your systems.

     
    What's the best defense against this one? The single biggest defense is education. Training your people to be constantly wary of all the emails they receive. One way some firms are educating their people is by sending out their own "fake" phishing scams. Employees who click on the link inside are greeted with a notice that they've fallen for a phishing scam and then are offered tips how not to be fooled in the future. Think of it as the hi­-tech version of Punk'd.
     
    You may not be ready to go that far, but it is important to provide ongoing training to all of your staff about phishing scams. Your staff are all critical factors in your data security plans.

    Friday, April 20, 2018

    What is Ransomware and How Can it Affect Your Business?

     
     
    This cyberattack scheme hasn't garnered nearly as much attention as the usual "break-in-and-steal-data-to-sell-on-the-Internet version," but it can be even more debilitating. Ransomware attacks have begun appearing in the last few years and its practitioners are so polished that in few cases they even have mini­call centers to handle your payments and questions.
     
    So what is ransomware? Ransomware stops you from using your PC, files or programs. The business model is as old as the earliest kidnapping. They hold your data, software, or entire PC hostage until you pay them a ransom to get it back. What happens is that you suddenly have no access to a program or file and a screen appears announcing your files are encrypted and that you need to pay (usually in bitcoins) to regain access. There may even be a Doomsday-style clock counting down the time you have to pay or lose everything.
     
    Interestingly, one of the more common "market segments" being targeted in the US has been public safety. Police department data is held hostage, and in many cases, they have given up and paid the ransom. They had little choice. They aren't the only ones. A hospital in Southern california also fell prey, as did one in Texas.
     
    Ransomware can be especially insidious because backups may not offer complete protection against these criminals. Such new schemes illustrate why you need to have a professional security service that can keep you up to date on the latest criminal activities in the cyber world. Talk to an MSP about possible protections against ransomware.


    Friday, April 13, 2018

    Data Breaches are a Question of When, Not If

     

    You hear on the news all of the time about big cyber attacks on large corporations, and even government agencies. The trouble with this news coverage is that is suggests a distorted view of where cyber attacks are taking place. These attacks are not solely hitting large organizations. Small firms represent a significant portion of those who face cyber attacks. Being small by no means keeps you immune. In fact, small firms can be used as conduits to larger organizations. That is likely what happened in the case of Target Corporation back in 2013
     
    If  you're a small business, then you're a target for cyber criminals. Last year, 71% of small to medium size businesses were the victims of cyber attacks.
     
    Today's concern is how you would respond to an attack. 31% of small to medium businesses do not have a plan of action for responding to IT security breaches, and 22% admit that they lack the expertise to make such a plan. A data breach is disastrous.
     
    Your response determines whether it's a survivable disaster. You need to have a statement for customers ready, (47 states require businesses to disclose data breaches), you need to be able to quickly access backups, and you need access to professionals with experience in disaster recovery and business continuity.

    Friday, April 6, 2018

    Penetration Testing vs. Vulnerability Testing Your Business Network

     
     

    Hearing “all of your confidential information is extremely vulnerable, we know this because...” is bad news, but whatever follows the ellipses determines just how bad. Consider two scenarios.

    1. “All of your confidential information is extremely vulnerable... we know this because a hacker took all of your customers’ credit card info and locked all of your files behind ransomware.”

    2. “All of your confidential information is extremely vulnerable...we know this because we did a vulnerability scan of your network, and have some suggestions on how you can improve.” 61% percent of small businesses are victimized by cyber attacks each year, and one in five victims do not survive. It is financially worthwhile to make sure that you end up being the person hearing the latter sentence.
    Scenario 2 describes the statement after you have had a vulnerability test conducted. A vulnerability test is a comprehensive audit of security flaws that a hacker could exploit, and the possible consequences. This is the equivalent of a doctor giving a physical examination. This information will allow you to know what your risks are and plan your security policies accordingly.
     
    Vulnerability tests should be conducted quarterly, and can be done by in-house IT or outside consultants.They should be done quarterly, or whenever you are incorporating new equipment into your IT network.
     
    What is a pen-test: A pen-test is a simulated attack on a network to test the strength of its security. Usually, the pen-tester will have a specific objective (e.g. “compromise this piece of data...) A vulnerability scan tells you “what are my weaknesses?” and pen­test tells you “how bad a specific weakness is.”
     
    How often should you pen-test: Different Industries will have different government mandated requirements for pen­testing. One of the more broad reaching regulations, the PCI DSS, for example, requires pen-testing on an annual basis. However, it is prudent to go beyond the legalminimum. You should also conduct a pen-test every time you have
    • Added new network infrastructure or applications,
    • Made significant upgrades or
    • Modifications to infrastructure or applications,
    • Established new office locations,
    • Applied a security patch
    • Modified end user policies.

    Friday, March 16, 2018

    Humans cause so much trouble

     
     
    Have you been focusing on software packages and anti-virus tools to protect your data from hacking? That may not be enough, because it overlooks one of the biggest causes of security breaches. All of the security software and expertise in the world is useless if you or your employees don't remain vigilant about their behavior as it relates to hacking scams and data security. Human error remains the biggest cause of security breaches and data loss at almost all companies, large or small.

    We just can’t remind you enough that you need to develop a culture of security among all of your employees. Changing passwords frequently, not sharing passwords, and learning to recognize and avoid opening nefarious emails are the top three lessons you need to reinforce with your employees. And don’t make it a once-in-a-while memo, make it part of your office culture, with ongoing reminders, links to articles explaining phishing scams, and routine reminders to change passwords. Contact your MSP if you’d like to learn more techniques to educate your employees about their data security responsibilities.

    Friday, March 9, 2018

    The most boring topic Ever

     
     
    Yes, today’s blog is about office phone systems. You have one. They are dull, necessary, and no one wants to deal with them. They need to be re-configured for new employees, they’re confusing, and the telco lines probably cost you more money than you'd like.

    Like everything else, office phone systems began transitioning to fully online/digital well over a decade ago. The proper term is “ Voice over Internet Protocol” or "VoIP." In a practical sense, it means that your phone lines are no longer coming in over traditional, “plain old telephone” lines, or other standard protocols from the 1960s to the 2000s. Instead, voice signals are now being carried to your phone from the telco via the internet, such as your broadband connection.
     
    Why do this? There are a few simple benefits.
    1. You cut the higher landline charges, especially for international calls
    2. Old fashioned systems are becoming obsolete, and parts aren't available
    3. You don't need 2 separate cabling systems anymore. One for telco, one for internet is no longer necessary.
    4. They rely less on hardware to do the job, so reconfiguring for a new employee or a major office shift is much, much easier. It is now a software change, not a hardware issue.
    5. Your employees are no longer tied to the phone at their desk. VoIP allows integration with mobile devices.
    This is just a quick summary, but it gives you a starting point for understanding why most firms are moving to VoIP systems and abandoning the old traditional PBX and key systems of an earlier era.


    Friday, March 2, 2018

    The Cloud: what do you get?

     
     
    The cloud refers to using off site computing resources and storage to supplement or even replace the use of on-site/in-house resources. Instead of buying hardware and software to support your business, you are basically outsourcing this set of tasks.

    There are 4 benefits for the small firm and today we will look at the first 2.

    Elasticity - With onsite computing, if you need additional capacity you have no choice but to purchase that capacity in discrete steps, which means bearing the costs of being over-capacity for a period of time until growth catches up. Onsite computing also means you must have the capacity to handle your own peak computing and storage demands, and resources may go underutilized much of the time. The cloud allows complete elasticity in the utilization of computing resources. You buy only what you need, as you need it. You can grow or downsize as the business demands.

    Pay as you go - On-site hardware involves significant capital expenditures. The cloud allows you to pay for only what you use. The cloud also allows you to benefit from economies of scale that aren't available using the in-house model. Labor, equipment and maintenance expenses are shared across a vast pool of users.

    In the next few weeks, we’ll return to this subject to look at other ways the cloud brings efficiencies to your technology infrastructure that you could never achieve on your own.

    Friday, February 23, 2018

    What the cloud means for you–Part II

     
     
    Recently, we talked about ways the cloud brings value, business protection, and economies of scale to the smaller firm that they could never achieve by themselves. Today, we look at a final benefit of the cloud.

    Protection against on-site disaster - If a disaster strikes your physical business location, on-site resources can be damaged, destroyed, or become inaccessible for a period of time. Even if it isn't a major disaster, if you have a failed server your business could be down for an extended period. When everything occurs in the cloud, you are vaccinated against this type of business calamity. You can still access and use computing resources from anywhere.

    In summary, left entirely on its own a small firm just does not have the resources and capital to fully support its own technology infrastructure. The cloud turns that upside down, enabling firms to enjoy the benefits of a fully supported tech foundation without levels of expenditures that are just not feasible for smaller operations.

    Friday, February 16, 2018

    The Cloud means no more stormy weather

      
     
    Many small firms are pretty busy handling their own business, and don’t give much thought to what they would do if a natural disaster from a bad snowstorm to much worse hit their physical location and cut power, or physical access to the building. What if the equipment storing all of your data and software needed to run day to day operations became inaccessible? What would happen to your ability to continue to serve your clients or customers?
     
    Though we call it the cloud, with images of gray skies and rain, the cloud can be a ray of sunshine. It is an excellent and cost effective resource for smaller firms to make sure they maintain 24/7 access even in bad weather. Because everything is maintained off site, you can (1) bypass disruption or damage that may have occurred at your physical site, and (2) access what you need to keep your business functioning from any remote location.

    Small firms need to realize they are most vulnerable to business disruptions, as they have less capital and fewer resources to carry them through a bad period. The cloud represents a simple and value driven resource to address business continuity issues that could turn a small firm's business upside down.

    Friday, February 9, 2018

    Your front door is talking

     
     
    If you've been following the news, the Internet of Things is getting increasing attention. You’re probably also thinking this is some Silicon Valley fancy thing that will take years to reach the rest of us.
     
    Not really. You probably already have some items of your own tied into the Internet of Things.
     
    First of all, what is the I of T? Simply, it is any object that collects data about itself or its surroundings, and then transfers that data across a network to some other object, which can then make use of that data. For example, if you have a baby monitor that sends crib pictures from upstairs to your phone, you're tied into the I of T.
     
    But what about business people? Where is it showing up in the workplace? You may have security cameras tied to a network where they can be monitored by a PC or phone. A front door lock that can be remotely opened via phone. A thermostat that can changed by the same phone. Internal lights that go on when you phone approach. All of these are part of the Internet of Things.

    If you have questions about whether being tied into I of T presents a data security issue or hacking threat, you should contact a service consultant to discuss these issues. Headlines are now appearing about hacking into the I of T for nefarious purposes. It is a good idea to stay ahead of the curve because as a business, data security is a revenue-critical issue. Seriously, you don't want the front door telling someone your client’s private data.



    Friday, February 2, 2018

    NPO’s and volunteer security nightmare

     
     
    Not-for-profits have an unusual issue regarding security. Firms that have trained, paid full-time employees have a strong level of control over the actions of their workers. NPOs, however, may rely heavily on volunteers whose time in the office may be minimal and sporadic. You may feel grateful for their dedication and be less likely to subject them to rigid security training. Also, a threat of punishment for those who make inadvertent errors that create security risks isn't going to be acceptable in the “volunteer” environment.
     
    Though it may seem a waste of precious volunteer time, you need to consider implementing ongoing training and reminders to all volunteers about what they can do to protect your data and digital infrastructure. The 2 most common human errors are falling for phishing scams and bringing storage devices to your office and introducing them to laptops and other devices. Think of the volunteer who creates a brochure for you in their home office, then downloads it to your office PC. This is an excellent backdoor for a virus or malware to break into your infrastructure.
     
    Remind your volunteers on a consistent basis that no outside storage devices are to be brought into the office for use on the NPO’s equipment. Secondly, provide training on how to recognize phishing scams and the risks of opening unfamiliar emails and links. Finally, for volunteers who work from home, consider using safe shared software platforms like Google Drive or Microsoft 365.

    Friday, January 26, 2018

    Security and your sub-contractors

     
     
    So you feel relatively comfortable that you have created cyber security around your data and your employees are trained to avoid security errors in their day-to-day business ( a MAJOR source of security breaches, by the way.) However, you may be overlooking one area where you are exceptionally vulnerable. What protection do you have from those you do business with? If you are a manufacturer, for example, you may have several vendors who provide components and raw materials. How careful are they about data security? Smaller producers and service providers may perceive themselves as not being a likely hacker target, which is incorrect. Small firms are significant targets for data hacking because they have access to larger firms. They can provide a “digital backdoor” to the firms they sell to.
     
    You need to work closely with all of your vendors to ensure that they are as serious about protecting their systems as you are. If you share digital information with your subcontractors, you open a very wide door for any of their vulnerabilities.
     
    And this doesn't just apply to the manufacturing sector. Medical offices share data, for instance. Consider talking to a security expert to address your vulnerability to a security breach via the very vendors you rely upon. You need to expect as much focus on security from them as you do from yourself.

    Friday, January 19, 2018

    Cyber Crime and Security for SMBs

     
     
    Did you know the illicit trading of personal data was worth $3.88 billion last year? Cybercrime is a growing industry known for its innovation. It goes far beyond the image many of us have of some hacker kid in his basement. Many who engage in this activity are professionals and work in large teams. Some may even be sponsored by governments. If you follow the news, you can find large corporations and even government agencies who have fallen prey to hackers and had massive amounts of data compromised. Unfortunately, this has led smaller firms to feel they fly below the radar. In fact, the opposite is true. Small businesses-especially those in regulated areas such as medical, financial, and legal services-need to be hyper vigilant about security. The cybercriminals' professional efforts will outdo your amateur efforts at security.
     
    As a small business, you are vulnerable for two reasons. First, serious hackers see small business as entrances into larger entities. Small firms that have any interaction with larger firms, perhaps as a subcontractor, can be easy targets for professional criminals. Second, the clients or customers of small firms are shown to be less forgiving of data compromises that occur in small businesses.
     
    Security now goes beyond buying an antivirus program online. You should seek professional advice setting up security policies and business continuity plans, or testing these policies on a routine basis. A professional can spot vulnerabilities and prevent breaches before they occur.

    Friday, January 12, 2018

    Government regulations

      
     
    Any business that stores customer payment information must comply with a number of state and federal regulations. The legal, healthcare, and financial sectors have a number of laws tailored specifically for them (such as HIPAA or CISPA). If you run almost any kind of professional practice or agency you probably have very specific data security requirements. Running afoul of these regulations puts you at risk for legal action and probably means that you have bad security in place.
     
    As a professional, your focus needs to be on your clients and running your firm. Regulatory requirements to ensure data security can be complex and include rigorous testing requirements. Ensuring compliance with the regulations can be a serious distraction for you and take you into territory where your experience is limited.
     
    One of the best solutions is to work with a third party who has strong credentials in the area of regulatory compliance and data security. When you are working with a third party to set up security or data storage, make sure that they have experience working in your industry. Finding a service provider with experience in your profession can give you peace of mind knowing that you can focus on running your business without the distraction of ongoing technology concerns.

    Friday, January 5, 2018

    Higher goals get dragged down by Tech: The NPO story

     
     
    If you are a smaller Not-for-Profit, it is likely that your organization has been driven from its inception by individuals strongly motivated with a passion for their cause or humanitarian goal. As a result, it is also possible that the leadership has little interest in developing the administrative technology infrastructure that is necessary for any organization to function in the internet age.
     
    Failure to understand and focus on technology can damage an organization's growth and success. However, NPO leadership has to be laser focused on the day-to-day struggles of the organization such as seeking funding, keeping the doors open, and pursuing the mission. As a consequence, technology infrastructure may be cobbled together as an afterthought; resource limitations may lead to short term tech decisions that can be wasteful and more expensive in the long term.
     
    An NPO, with its tight budget margins, is an excellent example of an organization that could benefit from outsourcing its fundamental tech needs to a MSP. A MSP can determine short and long term needs, assess possible solutions, and propose the most cost effective tech solutions to ensure a stable, long-term tech infrastructure. Without the time or stomach for administrative distractions, NPOs may continue to use the break/fix model, making less informed tech decisions that may ultimately waste precious resources. Good and careful planning with a professional can mean a better strategic use of organizational resources far into the future.