You’re Fired! Now Give Me Your Password

/in /by

“You’re FIRED!” ( now give me your password)

Losing an employee is not usually a good experience. If they leave voluntarily, you lose a valuable asset. If they have to be fired, you have the arduous task of the progressive discipline process and the final termination meeting. But there are other concerns that arise when an employee leaves. Those concerns are security and their access to company data.

Here are some considerations regarding passwords and voluntary termination (A.K.A. resigned) or involuntary termination (A.K.A. fired.) It is important you have a process in place so that whenever a termination occurs, nothing slips through the cracks regarding corporate data security.

  1. When you dismiss an employee, you should immediately change out all passwords for anything the employee had access to. Because almost all terminations should be planned, you should also define the process for canceling access. It is unwise to cancel prior to the termination meeting. If you do that, you create the potential for a confrontation when they arrive at work and find their passwords have been disabled. Instead, plan ahead and assign someone to disable their passwords during the time you are having the termination meeting. Before the meeting, be sure you have a list of all access cards, keys, etc. prepared so they can be cancelled before the employee leaves the building.
  2. Voluntary terminations ­- Different firms have different policies handling resignations. Depending on the specific position, an employee will be permitted to continue working during their 2 week notice period. In that case, you need to consider if there is any possibility the employee might get up to no good during the final days. That is something only you can judge.

In some cases, firms will ask an employee to leave the facility immediately. In that case, you need to have a plan in place. You need to have a list available of all of the restricted systems to which they have access for when this situation arises. The employee should not leave the building until all of their access has been canceled.

This all may seem a bit harsh, but things have changed. 30 years ago, for a disgruntled employee to steal files, they’d be carrying out large boxes of file folders. Now, not only can they empty the building onto a thumb drive, they can take nefarious action that wasn’t possible when data was stored on paper.

IT Defense in Depth Part II

/in /by

Defense in Depth Part II

In our last blog we started talking about the different layers of security necessary to fully defend your data and business integrity. Today we will look at the human aspect of it, and network defenses. The human layer refers to the activities that your employees perform. 95% of security incidences involve human error. Ashley Schwartau of The Security Awareness Company says the two biggest mistakes a company can make are “assuming their employees know internal security policies: and “assuming their employees care enough to follow policy”.

Here are some ways Hackers exploit human foibles:

  1. Guessing or brute-force solving passwords
  2. Tricking employees to open compromised emails or visit compromised websites
  3. Tricking employees to divulge sensitive information

For the human layer, you need to:

  1. Enforce mandatory password changes every 30 to 60 days, or after you lose an employee
  2. Train your employees on best practices every 6 months
  3. Provide incentives for security conscious behavior.
  4. Distribute sensitive information on a need to know basis
  5. Require two or more individuals to sign off on any transfers of funds,
  6. Watch for suspicious behavior

The network layer refers to software attacks delivered online. This is by far the most common vector for attacks, affecting 61% of businesses last year. There are many types of malware: some will spy on you, some will siphon off funds, some will lock away your files.

However, they are all transmitted in the same way:

  1. Spam emails or compromised sites
  2. “Drive by” downloads, etc.

To protect against malware

  1. Don’t use business devices on an unsecured network.
  2. Don’t allow foreign devices to access your wifi network.
  3. Use firewalls to protect your network
  4. Make your sure your Wi­Fi network is encrypted.
  5. Use antivirus software and keep it updated. Although it is not the be all, end all of security, it will protect you from the most common viruses and help you to notice irregularities
  6. Use programs that detect suspicious software behavior

The mobile layer refers to the mobile devices used by you and your employees. Security consciousness for mobile devices often lags behind consciousness about security on other platforms, which is why there 11.6 million infected devices at any given moment.

There are several common vectors for compromising mobile devices

  1. Traditional malware
  2. Malicious apps
  3. Network threats

To protect your mobile devices you can:

  1. Use secure passwords
  2. Use encryption
  3. Use reputable security apps
  4. Enable remote wipe options.

Just as each line of defense would have been useless without an HQ to move forces to where they were needed most, IT defense-in-depth policy needs to have a single person, able to monitor each layer for suspicious activity and respond accordingly.

IT Defense In Depth Part I

/in /by

In the 1930s, France built a trench network called the Maginot Line to rebuff any invasion. The philosophy was simple: if you map out all the places an enemy can attack, and lay down a lot of men and fortifications at those places, you can rebuff any attack. The problem is, you can’t map every possible avenue for attack.

What does this have to do with IT security? Today many business owners install an antivirus program as their Maginot Line and call it a day. However there are many ways to get into a network that circumvent antivirus software.

Hackers are creating viruses faster than antivirus programs can recognise them (about 100,000 new virus types are released daily), and professional cybercriminals will often test their creations against all commercially available platforms before releasing them onto the net.

Even if you had a perfect anti­virus program that could detect and stop every single threat, there are many attacks that circumvent anti­virus programs entirely. For example, if a hacker can get an employee to click on a compromised email or website, or “brute force guess” a weak password, all the antivirus software in the world won’t help you.

There several vulnerabilities a hacker can target: the physical layer, the human layer, the network layer, and the mobile layer. You need a defense plan that will allow you to quickly notice and respond to breaches at each level.

The physical layer refers to the computers and devices that you have in your office. This is the easiest layer to defend, but is exploited surprisingly often.

Here are a few examples:

  1. Last year 60% of California businesses reported a stolen smartphone and 43% reported losing a tablet with sensitive information.
  2. The breaches perpetrated by Chelsea Manning and Edward Snowden occurred because they were able to access devices with sensitive information.
  3. For example, Comptia left 200 USB devices in front of various public spaces across the country to see if people would pick a strange device and insert into their work or personal computers. 17% fell for it.

For the physical layer, you need to:

  1. Keep all computers and devices under the supervision of an employee or locked away at all times.
  2. Only let authorized employees use your devices
  3. Do not plug in any unknown USB devices.
  4. Destroy obsolete hard drives before throwing them out

Next time in Part II, we will talk about the human and network layers of security.

Data Security: A People Problem

/in /by

Phishing Scams – A People Problem

There are some things that only people can fix. There are many security risks to which your data is susceptible, but there is one method that remains a wonderfully effective hacking tool. That is the phishing scam. This is a legitimate looking email that asks the reader to click on a link. If clicked, the link can infect the user’s computer with malicious software that can steal passwords, logins, and other critical data. Alternatively, the email appears to be from a legitimate source, perhaps even duplicating a legitimate webpage. The distinction is that the phishing email asks the user to enter personal information, including passcodes. In either case, that is how hackers easily get into your systems.

What’s the best defense against this one? The single biggest defense is education. Training your people to be constantly wary of all the emails they receive. One way some firms are educating their people is by sending out their own “fake” phishing scams. Employees who click on the link inside are greeted with a notice that they’ve fallen for a phishing scam and then are offered tips how not to be fooled in the future. Think of it as the hi­-tech version of Punk’d.

You may not be ready to go that far, but it is important to provide ongoing training to all of your staff about phishing scams. Your staff are all critical factors in your data security plans.

What is Ransomware and How Can it Affect Your Business?

/in /by

This cyberattack scheme hasn’t garnered nearly as much attention as the usual “break-in-and-steal-data-to-sell-on-the-Internet version,” but it can be even more debilitating. Ransomware attacks have begun appearing in the last few years and its practitioners are so polished that in few cases they even have mini­call centers to handle your payments and questions.

So what is ransomware? Ransomware stops you from using your PC, files or programs. The business model is as old as the earliest kidnapping. They hold your data, software, or entire PC hostage until you pay them a ransom to get it back. What happens is that you suddenly have no access to a program or file and a screen appears announcing your files are encrypted and that you need to pay (usually in bitcoins) to regain access. There may even be a Doomsday-style clock counting down the time you have to pay or lose everything.

Interestingly, one of the more common “market segments” being targeted in the US has been public safety. Police department data is held hostage, and in many cases, they have given up and paid the ransom. They had little choice. They aren’t the only ones. A hospital in Southern california also fell prey, as did one in Texas.

Ransomware can be especially insidious because backups may not offer complete protection against these criminals. Such new schemes illustrate why you need to have a professional security service that can keep you up to date on the latest criminal activities in the cyber world. Talk to an MSP about possible protections against ransomware.

Data Breaches are a Question of When, Not If

/in /by

You hear on the news all of the time about big cyber attacks on large corporations, and even government agencies. The trouble with this news coverage is that is suggests a distorted view of where cyber attacks are taking place. These attacks are not solely hitting large organizations. Small firms represent a significant portion of those who face cyber attacks. Being small by no means keeps you immune. In fact, small firms can be used as conduits to larger organizations. That is likely what happened in the case of Target Corporation back in 2013

If you’re a small business, then you’re a target for cyber criminals. Last year, 71% of small to medium size businesses were the victims of cyber attacks.

Today’s concern is how you would respond to an attack. 31% of small to medium businesses do not have a plan of action for responding to IT security breaches, and 22% admit that they lack the expertise to make such a plan. A data breach is disastrous.

Your response determines whether it’s a survivable disaster. You need to have a statement for customers ready, (47 states require businesses to disclose data breaches), you need to be able to quickly access backups, and you need access to professionals with experience in disaster recovery and business continuity.

Penetration Testing vs. Vulnerability Testing Your Business Network

/in /by

Hearing “all of your confidential information is extremely vulnerable, we know this because…” is bad news, but whatever follows the ellipses determines just how bad. Consider two scenarios.

  1. “All of your confidential information is extremely vulnerable… we know this because a hacker took all of your customers’ credit card info and locked all of your files behind ransomware.”
  2. “All of your confidential information is extremely vulnerable…we know this because we did a vulnerability scan of your network, and have some suggestions on how you can improve.” 61% percent of small businesses are victimized by cyber attacks each year, and one in five victims do not survive. It is financially worthwhile to make sure that you end up being the person hearing the latter sentence.

Scenario 2 describes the statement after you have had a vulnerability test conducted. A vulnerability test is a comprehensive audit of security flaws that a hacker could exploit, and the possible consequences. This is the equivalent of a doctor giving a physical examination. This information will allow you to know what your risks are and plan your security policies accordingly.

Vulnerability tests should be conducted quarterly, and can be done by in-house IT or outside consultants.They should be done quarterly, or whenever you are incorporating new equipment into your IT network.

What is a pen-test: A pen-test is a simulated attack on a network to test the strength of its security. Usually, the pen-tester will have a specific objective (e.g. “compromise this piece of data…) A vulnerability scan tells you “what are my weaknesses?” and pen­test tells you “how bad a specific weakness is.”

How often should you pen-test: Different Industries will have different government mandated requirements for pen­testing. One of the more broad reaching regulations, the PCI DSS, for example, requires pen-testing on an annual basis. However, it is prudent to go beyond the legalminimum. You should also conduct a pen-test every time you have

  • Added new network infrastructure or applications,
  • Made significant upgrades or
  • Modifications to infrastructure or applications,
  • Established new office locations,
  • Applied a security patch
  • Modified end user policies.

Benefits of Using VoIP Technology

/in /by

Benefits of Using VoIP Technology

More and more businesses are implementing Voice over Internet Protocol or VoIP technology because of its versatility, flexibility and cost-effectiveness. With new developments in this technology, the scope of its applications is widening. It is becoming more than just voice communications technology. That is why businesses of all sizes are migrating at an increasing rate. Here is a short list of some of the benefits.

Versatility/Flexibility: There are many VoIP service companies that have been working feverishly to enhance the use of this technology. They are bundling up other communication applications into a single unified communication platform to increase the efficiency for businesses. This means all modes of communication such as voice, fax, video, web conferencing and emails can be utilized, using a single software application. The ability of this application to convert voice into an email or fax into an email can bring a tremendous amount of efficiency to business operations. You don’t need to sign up for a separate service for a telephone or video conference. An incoming phone call can be received on a mobile phone and regular phone simultaneously. That means there are fewer missed important phone calls, and less wasted time on ‘phone-tag.’ An employee can receive an important fax on a laptop while sitting in an Internet café or within range of a Wi-Fi hot spot, and can redirect it to an associate within minutes with a few keystrokes. The list of benefits goes on.

Reduced cost: There are many ways VoIP can lower communications cost thus significantly enhancing the revenue. Here are some of the financial benefits of implementing VoIP.

  1. Cost per phone call: Making long distance or international phone calls using landlines or mobile phones can be very expensive. Charges incurred at per-minute rate can add up quickly. When you conduct business from multiple locations VoIP applications allow you to make calls from PC to PC that are free if they are within the same network. That could be significant to eliminate long distance charges if two locations are hundreds of miles apart. You can also pay a low monthly flat fee and make an unlimited number of calls, including international calls. This means much less usage of your mobile phone-minutes.
  2. Operational costs: You don’t need separate networks for data and voice communications. Everything can be done using the data network. Specially designed phones with VoIP technology can be managed right from your desktops. There are a few things at work here. First of all, you have the potential to be eliminating traditional “phone” lines, usually a significant monthly fixed cost, in addition to the per minute usage costs. Paying per minute remains a major issue if you do any international calling, or have offices located in other countries, where per minute rates may not have dropped like those in the US. Another operational cost that goes away are the labor costs involved in moving employees from office to office. Reconfiguring numbers and phones can still require physical changes. Even if they are only software changes, there is a cost to pay the technician who handles these reconfigurations.
  3. Infrastructure cost: With this technology your infrastructure cost is greatly reduced. For example, you have to pay more for the telephone extensions using traditional PBX and key systems. Using VoIP allows you to run those extensions right from your computers. Dual-mode phones can be used with this technology after making minor configuration changes. That allows the user to switch the use of a dual phone from cellular to a local Wi-Fi environment, reducing the need to carry a regular phone and a cell phone. That means fewer devices to manage.

Summary: After our discussion, the significance of implementation of VoIP can’t be overstated. Every business strives for better revenue. This new technology offers many ways to cut costs and bring efficiency by unifying all modes of communication onto a single platform. Efficiency and lower costs are always synonymous with greater revenue. Get in touch with a Managed Service Provider and ask them how they can bring you on board with this great technology called VoIP.

BYOD: Why is This Concept So Attractive to Employees?

/in /by

BYOD: Why is This Concept So Attractive to Employees?

Bring Your Own Device, or BYOD, to work was an idea a few years ago that is becoming a reality very fast. To use your personal smartphone, tablet or laptop for work seems increasingly natural. Employees are embracing this concept without any serious reservations. As more and more business activity becomes technology driven, to have electronic gadgets right by your side all the time make sense. According to a survey conducted by Logicalis about 75% of employees in high growth markets such as Brazil and Russia and 44% in developed markets bring their own devices to work.

Let’s examine all the factors causing people to want to use their own devices at work.

  • Familiarity: This may be the most relevant reason for someone to bring their own tablet or laptop to work. It may be the operating system, web browser, or other apps on their devices that they know so well and feel comfortable using.
  • Convenience: Companies have been providing their employees mobile phones for business use for a few decades. Now those employees have to carry two phones, since everyone also has a personal phone. This duality is a nuisance. It is hard enough to care for one mobile phone and now they have to worry about two of them. The reality is that companies expect employees to be in contact 24/7, so company devices can’t just be used at work. They have to be carried home, out to the store, etc. If the employees have a choice they would much rather carry just one phone, their own, enabling them to be reachable by family and friends anytime. Also, it could be cheaper if their company offers to share the cost of using their device for business.
  • Productivity: Convenience can also result in better productivity. Having fewer devices means fewer distractions. Fewer distractions equals less wasted time. Saving time is always good for productivity.
  • Personal contentment: It makes employees feel good to be able to use their own devices at work. Higher employee morale is very important for any organization. Happier employees are more likely to work hard. A positive environment is also a factor in lower turnover. So, if an employer gives its employees the liberty to bring their own devices to work it may have more satisfied workers.
  • Conclusion: People in the workplace are using their own devices so they can accomplish more in less time. It makes them happy to have their personal devices at work, and it makes them feel good about their job if they are allowed to use the devices that they are familiar with.

VoIP: A New Dimension in Communication for SMBs

/in /by

VoIP: A New Dimension in Communication for SMBs

Voice over Internet Protocol or VoIP is about a decade old technology that is gaining popularity among individual subscribers and businesses. In conventional systems, phone calls are made using telephones or handsets that are connected by phone cables. These calls are routed using the Public Switched Telephone Network (PSTN) carrying a signal from one telephone to the other. But instead of connecting telephones to the phone cables through phone jacks in the walls, VoIP uses the internet where phones can be connected to broadband devices, adapters or PCs using broadband. With this system, voice is converted into a digital signal and carried over the Internet. Let’s take a look at all the options that are available to make calls using VoIP.

Make Calls from a PC: Using this platform a call can be placed from your PC. Your computer is connected to the Internet via broadband. A specially designed software app allows you to place and receive phone calls right from your PC. When deployed, this software displays a dial pad. You can dial a number using a mouse or keyboard. You will need a headphone or speaker to hear and a microphone to speak. When your PC is connected to a phone or another PC on the other end, you can talk like you would on a regular phone. The software with video capabilities will let you see each other (you and the recipient of your call) if it is a PC to PC call and both computers are equipped with cameras. In this case you don’t even need a telephone handset.

Make Calls using a regular phone: You can make phone calls with a regular phone using VoIP technology, but for this you will have to have a service, such as Vonage, that provides VoIP access. You can subscribe to their service for a monthly flat fee or a per-minute rate. Your regular phone can be plugged into an adapter which is then connected to a broadband device. Some services will allow you to make calls within their service network only. But there are other services that will let you make calls anywhere. That means you can call local, long distance, international and through mobile devices.

VoIP telephones: There are VoIP service providers that provide special phones. To use these phones you don’t need an adapter. Their telephones are designed to work with your broadband device. You can connect this phone directly into your broadband modem using an Ethernet cable and use the phone like any regular phone.

Companies providing VoIP services are focusing on providing unified communication platforms that will include phone, emails, faxes, videos and voice mail capabilities. Their goal is to deliver these capabilities that can be used by all means of communication including handheld devices.

The Role of MSPs: Managed Service Providers or MSPs can help businesses with the installation of hardware and software, enabling VoIP technology. This will also organize their communication networks by integrating those networks into their IT infrastructure. Now SMBs can eliminate another worry (management of their communication systems) by outsourcing their IT services.