Posts

Infection protection: Nine steps to start protecting your company today

Malware is a generic term that covers all manner of software that is designed to attack your devices, applications, programs, and networks. It is software that has bad intentions. Yes, stealing. Either by directly pulling money out of accounts, or improperly acquiring data that ultimately provides access to funds. Example: Stealing your SSN and setting up a credit card to use that info, or convincing you to provide the password to your checking account. Others will snatch your organization’s data and hold it for ransom. As usual, it is all about money. What can you do?

Nine steps to avoid malware

1) Don’t go it alone – As a small- to medium-sized business, you have limited resources, all of which need to be focussed on running the business and planning for the future. That makes it difficult to direct an IT operation that has the depth to address all of the security issues you face. For example, a business owner cannot possibly keep up with the changes and details of tax laws. Doing it themselves, they would likely overlook important tax advantages or inadvertently break some IRS rule. As a result, tax preparation and accounting above the level of basic bookkeeping is outsourced to an outside accounting firm. You should consider looking at IT in the same way.

2) Pay attention to those update windows – Don’t procrastinate. Those update requests aren’t just for adding a new feature. Each update probably addresses some vulnerability in the software that could be exploited by a virus. You may also want to consider outsourcing this project. In a complex business, there is a long list of installed software that needs to be updated. An MSP can coordinate that project and handle any glitches that appear when an update is installed. Also, be mindful that if you permit BYOD- all of those remote devices are vulnerable if their owners neglect updates.

3) Multi-factor Authentication – It is getting tough to log into much of anything these days without hitting MFA. And for good reason. MFA is a tool that works to cut down fraud by asking for additional data to verify your password in order to gain access. Generally it involves entering a password then following up with a token you might be sent via text or email, or using a biometric measure, such as a fingerprint. An MSP can provide applications that can set up MFA to protect your data.

4) Create a strict backup policy and follow it – Data can get corrupted, lost, or stolen. Handling backups is more than just downloading data to a hard drive every evening. An MSP can provide you with the tools needed to handle backups appropriate to the needs of a business operation or take on full responsibility for the task.

5) Manage access – Who can look at what data? In a smaller business, we often just provide access to data to an employee or we don’t. Why? Because it is simple. Instead, tighten your security by segregating data access. Individuals get access only to the data needed as defined by their job description. Follow the Principle of Least Privilege. That is, each individual only has the access to accounts, databases etc. that are absolutely necessary for them to do their assigned tasks.

6) Train everyone on basic data security – Humans are still a very weak link in an organizations defense against cybercrime. Poor password hygiene and inattention to scams are the biggest concern for business owners. Here are some areas where training can help.

7) Identify phishing emails – These are mails that appear to come from legitimate sources, but are faked. Because the reader trusts the sender, they naively open a link that might be attacked which then downloads some forms of malware.

8) Prevent a “Lost” USB – Too often, individuals will find a USB drive left near a desk or dropped somewhere. The temptation to insert it into their computer to see what’s on it can be very hard to resist. This was part of what caused the Target data breach.Train employees to only insert company verified hardware into their computers.

9) Password etiquette – Define standards within your organization about acceptable passwords. An MSP can help you set up programs that require employees to create passwords that meet your defined criteria. Also, consider fostering a culture that makes the sharing of passwords a performance issue that will be addressed by an individual’s supervisor.

10) Take the step beyond anti-malware software – Anti-malware software is necessary, but it isn’t as proactive as one might want. Your MSP can design an endpoint detection and response solution.

/by

Your business runs on data, but so do the cyber criminals who want to steal yours

One very painful truth about running a business is that you possess data that is attractive to criminals. There is no avoiding that reality. You have data. They want data. It is an ongoing challenge to maintain data security as cyber criminals’ efforts evolve and change on a daily basis. The wall that kept you safe last week may have holes in them today. Keeping up with the latest threats is a specialized field that in-house IT support likely doesn’t have. An MSP can provide the support you need in the face of ransomware threats and other malware. Also, an MSP can provide 24/7 monitoring.

Speaking of data security, brand damage isn’t the only issue with data security breaches. In many cases, there are data protection laws that regulate how you secure personal information. In specific industries there are federal, state, and even overseas regulations that set standards for data protection. How you choose to protect data may be out of your hands. MSPs have the experience and knowledge to address compliance management. For example, there are a number of data protection laws (HIPAA, FERPA, CA Privacy Act, GDPR, FTC Safeguards Rule) out there that not only provide penalties if a data breach occurs, but also mandate specific protocols to better ensure your data is protected. Avoiding a data breach isn’t enough. Some of these protocols can be quite demanding and some require periodic testing and are subject to audits. Samples of the types of requirements mandated by some of these laws may include.

  • Designating one individual to oversee data protection and security
  • Conducting a risk assessment – This means analyzing what data you possess , where it is stored, and in what ways it is vulnerable.
  • Creating safeguards to address all potential areas of vulnerability
  • Designing and documenting tools to secure your data and tracking access
  • Tracing the location and security of all data whether it is at rest or in transit.

Not only do you have to set up protocols, you may have to prove they are operative and be subject to audits. All of this can be extremely distracting to a small business.

Another area related to data security is the issue of backup and recovery. So much can go wrong. There is nefarious activity: criminals actively trying to break into your data and steal it. There is human error: individuals taking actions that accidently delete or damage data. And of course, hardware can fail and software can have bugs. And, if not done correctly, backups may be infected and be of little value.

An MSP can design backups that are continual and are protected at an offsite location.

More importantly, it isn’t enough to know your data is safe if something happens. Your business is dependent on using that data. Losing a day of access can cripple your business. That means planning for recovery in case something happens. How will you transition to another mode of data access? Your customers expect 24/7 availability. An MSP can develop recovery plans that work to ensure your operations see minimal disruption in the event of a failure.

/by

Strategic IT planning for your business

One thing that the best MSP can do is become a strategic partner. Your expertise is your industry, business, or profession. Trends and innovations in technology aren’t your focus. However, your business can benefit from some long-term strategic planning in terms of the technology you will deploy to remain competitive. New technology will offer new opportunities. An MSP who has experience in your industry can become a partner. After taking the time to learn your business, your goals, and the competitive field in which you operate, an MSP can take a seat at the table of your business planning. At the highest level, this is where a skilled MSP becomes a significant asset as your business grows and faces new market challenges.

Additionally, An MSP can help with other parts of your IT infrastructure to protect your data as well as facilitate more effective collaboration internally as well as with clients. Here are three examples.

Backup and recovery

Another area related to data security is the process of securing your data in the event of theft, a hardware or software issue, or even a natural disaster that cuts access to your data’s physical location. Backing up your data needs to involve a lot more than running nightly backup to an external drive. That may be ok for your home laptop, but it doesn’t cut it if you want to protect your business data. An MSP can support continual data backup to offsite locations. This means at any point there is a system failure or breach, all of your data remains secure at one or more distant locations. Backup also includes recovery. Having your data safely stored in the event of a disaster isn’t enough. Your business will need continuing access to that data. An MSP can develop recovery plans that work to ensure your operations see minimal disruption in the event of a failure. Also, clean backups are critical for avoiding the consequences of a ransomware attack. Poorly handled back procedures can leave your data vulnerable,

Cloud Services

The decision to use cloud services is closely related to data security and cybercrime. Locating all of your data and software applications physically in your own location may seem like the safest thing to do, but that may not be correct. If you utilize cloud storage, you can maintain access to that data from any location. If a natural disaster or other emergency limits access to your physical locations or disables it, your business and employees can access the data from anywhere. Also, the cloud offers economies of scale. To maintain sufficient capacity to meet peak times, maintain all of the necessary hardware and software, and monitor it 24/7 involves considerable in-house labor and capital expense. Migrating to the cloud means you share those fixed costs with others. An MSP can handle selecting and designing a cloud solution most appropriate to the needs of your specific industry and business.

Unified Communications

Unified communications is a service that pulls together the different channels your employees and clients use to collaborate, sell, communicate, etc. Unified communications systems have many moving parts. Encryption, data security, ease of use, cross platform support as well as other support services can create a communications system that works for everyone, no matter what channel they choose to be using.

/by

Risk assessment: A Value model

Risk assessment means looking at all the conditions, situations and threats that exist that could damage or bring down your business. Risk assessment is all about identifying the external and internal threats that exist and measuring the likely consequences if that threat becomes reality. A data security risk assessment would identify what data you have, how you use it, how confidential it may be, how it is affected by regulations and the ways it could be compromised. A major focus of a data security assessment is cybercrime.

In terms of developing an IT staff, the alternative approach to building out a team is to determine your IT staffing needs in terms of risk assessment. That means evaluating risk and directing staffing resources to those areas where the risk is greatest and the consequences most severe. Basically, it is an evaluation on the ROI of your IT staffing in light of identified risk. In particular, what is the return on your risk management investment? The goal is to evaluate risk in light of business and operational consequences. Put simply, which point of failure leads to the most destructive consequences. Once that is determined your limited IT resources can be directed at those most critical areas.

In the short term, you can try to find the specific applicants that have what you need to plug the holes. Is that workable given the challenges to hiring? The market is very competitive.

The alternative is an MSP. Using a Managed Service provider for at least some of your most critical needs can be a very effective way of targeting your IT resources to where you are most vulnerable.

You have more freedom to move resources to where they are most needed.

Opting for an in-house IT team limits you in terms of scalability. You cannot just add or reduce the strength of your IT team anytime. Choosing a managed services provider, however, provides the flexibility to scale up or scale down your IT investment to suit your business needs.

You are better prepared for IT emergencies

Having a service contract with an MSP helps you tackle IT emergencies better because you get access to top-level IT expertise. An MSP’s core business is IT so they are naturally more knowledgeable and up-to-date when it comes to the latest IT challenges, including cybercrime. Plus, an MSP can deploy more resources if need be to solve your IT emergency, helping your business get back on its feet sooner.

You will be ahead of the curve

The IT industry is constantly evolving. The in-house IT team may find it challenging to keep up with the latest trends and norms of the IT industry as they will be caught up in managing the day-to-day IT activities at your office. Also, IT is a very broad field, and only a diverse IT team has the depth to cover all of the different areas. With an MSP, you don’t have to worry about how technology is changing. A good MSP will not only be up-to-date with the latest in tech but also advise you on what tech changes you need to make to stay ahead of the curve.

The lesson for hiring IT is that you should focus resources, be they in-house or external, on the areas where your business is at highest risk from a single point of failure or a cyber attack. Not all IT needs are equal, and traditional models don’t always recognize this. A Managed Service Provider can also assist you in determining a hierarchy of your IT needs.

/by

Staffing should address risk first and foremost

,

For any business, but especially a smaller one without deep pockets, the consequences of some disaster may mean the end of the business. As a result, risk evaluation becomes critical. There are an endless variety of events, from mishaps to major disasters that challenge your viability. Risk management inventories all of the possible risks that could befall the organization and places them in a hierarchy of significance. At the top are single points of failure disasters or extreme events that would shut down the business, at least temporarily. Risk management then works to channel limited resources toward mitigating the most serious risks. Here are some examples of risk in the IT area that could be especially damaging if left unprotected

  1. Data Security and Cybercrime –
    1. Loss of data – Failed backups or human error can lead to lost data. Every business needs to have the IT expertise to ensure that quality backups are maintained, preferably in real-time
    2. Data breaches – More significantly, data is constantly at risk from crime. From malware to ransomware, viruses and cyber attacks can destroy a small business. Consequently, quality IT support is most critical in this area. It should be an issue of highest priority.
  2. Hardware redundancy – Your entire physical IT infrastructure represents a vulnerability. Single points of failure could shut down your business. Proper design of your infrastructure, and 24/7 monitoring of it is, again, a risk mitigation factor. How much evaluation has been done to determine your level of risk?
  3. Natural and human-made disasters – How prepared is your IT infrastructure to continue operations in the event of a flood, fire, or natural disaster that prohibits access to your physical location? How would you handle a long-term power of broadband outage? IT professionals skilled in disaster recovery can help you mitigate the risk in the face of a major event.

    The point here is not to list all the possible risks you face, but to recognize that IT support should be focused on the most critical areas. Whether you bring them in-house or use the services of an MSP, resources should be directed first at areas where the risk is greatest.

How can an MSP help support a risk-focused IT strategy?

  1. Hiring individual in-house support can be expensive and slow – Given the tight labor market, finding ideal candidates can be exceptionally difficult, and as a consequence, too expensive. An MSP represents a faster way to bring on support and can be utilized only when and where the most critical services are needed.
  2. Up-to-date support – Over-worked in-house IT staff in a small company may be too busy putting out fires to keep up with the latest developments in specific corners of their field. As a result, you may lack the knowledge depth needed on narrow but critical areas. IT is a very broad field, and only a diverse IT team has the depth to cover all of the different areas. With an MSP, you don’t have to worry about how technology is changing. A good MSP will not only be up-to-date with the latest in tech but also advise you on what tech changes you need to make to stay ahead.
  3. Scalability – The size of your in-house IT support staff is, in the short term, static. If you experience peak demand times, resources can be stretched to the point of being overwhelmed. .Choosing a managed services provider, however, provides the flexibility to scale up or scale down your IT investment to suit your business needs.
  4. 24/7 monitoring and availability – Until your organization gets big enough, an in-house IT staff cannot be available 24/7. Nor can it provide 24/7 monitoring for that part of your business that must be functional all the time. An MSp has the resources, because of economies of scale.

In the end, don’t think of IT support as “IT Hiring” instead, think of it as staffing. What is the best use of limited resources to meet your most immediate vulnerabilities? That is the best perspective to take on IT support when resources are limited.

/by

Four Basics to follow for Everyday Data Security

,

One of the biggest questions we get from clients and prospects is “What can we do to protect ourselves from cyber attacks?” It is a sensible concern. A cyber attack that freezes operations or seizes data can ultimately shut a company down for good. There are some basic, simple things you can do to protect your company and there are more sophisticated tools available. In this blog, we look over a spectrum of 4 things you can do to improve your data security, from the simple to the high tech.

  1. Employee training – It may seem so simple, but training your employees on an ongoing basis about their role in cyber security may be the best thing you can do. Why? Because well-meaning people do things when they get near a computer that can be very risky.

Simple things like forbidding the use of external storage devices being brought to the workplace. One of the more notorious data breaches occurred because a subcontractor employee–who had access to a large corporation’s IT infrastructure–found a thumb drive in the parking lot and plugged it in to see what was on it. Beyond that, simple phishing scams are still very effective at tricking people into opening nefarious websites. Ask your MSP for guidance on creating ongoing training programs that explain phishing scams and similar tricks and instruct everyone how to avoid them. Do it on a regular basis. It is easy to forget and let your guard down.

  1. Software updates – This one is also basic, but it carries a lot of value. Each time you receive a notice about a software update, stop and do it then. Don’t put it off until tomorrow. These updates not only provide new, improved features. They often provide fixes to vulnerabilities in the software or address threats and viruses that have developed.
  1. Zero day alerts – Zero Day alerts are kind of like a neighborhood crime alert.
    You are busy running your own company and your time is not spent tracking the latest threats developing out there in the cyber world. Your MSP may offer text or email alerts about new threats and how to protect yourself from them.
  1. Finally, there is a more complex, after the fact, security precaution you can take. Cyber insurance. Cyber insurance may be able to cover some or most of the losses incurred as a result of a security breach. It won’t defend your data proactively, but, should the worst happen, it may provide protection against loss revenue and damages. Standard commercial property insurance policies do not generally include provisions for the damages from cybercrime. In a growing number of commercial policies, they are specifically excluded. As a result, executives who recognize the catastrophic damage that a cyberattack can inflict on their business are looking at cyber insurance to transfer the financial losses to a third party. However, there are some pretty deep weeds to get into when looking for a cyber insurance policy. Just for one example, some policies may create requirements and security standards you must meet before an event will be considered a covered loss. A Managed Service Provider can offer guidance into whether this is an avenue to explore.So there you have it. You have to protect your organization from the threats and consequences of data losses due to a security breach.
/by

5 ways to make passwords more effective

5 ways to make passwords more effective

You should be using an array of security tools to protect your business data. Some can be highly sophisticated, but there is one tool that we all still rely on heavily to secure access to our business systems and data. The password. But they can be hacked and shared. As long as we still rely on them, are there things we can do to make them more effective?
Yes. There are two main areas where you can improve the security of passwords. One is improving the security of the password itself, the second is multi-factor authentication.

First, there is the password itself. This is often known as password hygiene. Good password hygiene includes

Passwords that are too simple

Simple passwords are easy to remember but easy to crack. Words, in any language, are not ideal either. That is why many sites require a mix of letters, characters, and numbers. easy to And yes, some people are still using password123.

One universal password

Sometimes people find it difficult to remember multiple passwords for various files and applications, so they use a single good, strong password everywhere. This renders the good password virtually pointless and also increases the amount of damage that can be inflicted in the event that one ‘good’ password is compromised.

Unauthorized password sharing

Generally done with benign intentions, employees often share passwords for convenience or to expedite handling the sharing of data. Not good.

Writing down passwords

Sometimes, people follow all password best practices but find it difficult to remember complicated passwords and then write them down on a piece of paper or worse still, make a file containing all the passwords and store it in their email or computer. This is almost like giving away the keys to your property to a burglar.

Forgetting to change passwords or revoke access

This is especially an issue where the staff is busy and turnover is high. Managers may fail to remember to change the passwords once a staff member quits, leaving company data vulnerable. This is especially likely in a small company where there may not be a centralized IT staff that oversees data security and access.

Remember, having a password is not the solution. Having the right kind of password and following good password hygiene is.

/by

Social media at work…what could go wrong

As a business, there is no doubt today that you need to make your presence felt on major social media platforms such as Facebook, Twitter, Instagram and LinkedIn. But social media also exposes you to cybercriminals. In this post we talk about the steps you can take to ensure your social media account doesn’t become a gateway for cybercriminals to access your data.

Make someone accountable
The first step to a successful and safe social media experience as a company is to make someone in your organization accountable for it. Designate a social media manager who is responsible for maintaining your company’s social media accounts. This person should oversee everything–from the posts and pictures in your company account to approving/disapproving ‘Friend’/’Follow’ requests.

Train your employees
Of course you should train your employees who handle your official social media accounts about the security threats and how they need to steer clear of them, but you also need to train other employees who are not on your social media team as they could be a weak link that a cybercriminal could exploit to reach your business. Seems far fetched? Not really. A lot of people trust their ‘friends’ on social media and also unwittingly share a lot of information, which can be used to hack their personal accounts and devices, which in turn, may act as a gateway to your business. Teach your employees about general social media best practices in terms of security and also educate them about the privacy settings they can use to ensure there data is shared with trusted individuals only.

Take the necessary security measures
Make sure the devices you use to access your social media accounts are protected with firewalls and anti-malware tools and all security updates and patches are up-to-date.

Password hygiene
Practice good password hygiene and encourage your teams to do the same. That means no password sharing, no sequential letters/numerals, no obvious words or numbers as your social media account password.

Frame a social media policy
You should also frame a social media policy that spells out the dos and don’ts of social media that everyone in your organization should follow. This is important from various perspectives as employee’s statements on social media may be perceived as a reflection of your business’s values, whether you like it or not. This can make your business a target of cybercriminals and lawsuits.

Putting your business out there on the social networking sites gives your brand a lot of exposure, presents paid advertising opportunities and even helps you build and manage customer relationships, but as discussed, it can be tricky to navigate in terms of security. Businesses may find it overwhelming to manage their social media security strategy all by themselves can reach out to a managed services provider. An MSP with experience in social media security can be a valuable asset in helping you build a strong social media security strategy.

/by