by Felicien | Feb 27, 2019 | Education
Many companies are finally taking cybersecurity seriously and have implemented programs to meet their organization’s specific needs. Having a program in place, however, is only the first step. Measuring the effectiveness of a cybersecurity plan is equally important. There are several steps a company should take to adequately measure the effectiveness of their plan.
How Does A Company Measure Security Efforts?
There have to be specific ways to measure security efforts in order to determine their effectiveness. Before beginning this process, it’s important to understand the difference between measurement and metrics. The United States National Institute for Standards and Technology (NIST) states that measurement is defined as observable and quantifiable. Metrics, however, are normally something that can be supported by measurement. Metrics are to be used to assist in decision making and to improve accountability and ultimately performance. Cybersecurity metrics should include accurate data that can be compared in different time periods. In particular, it must include specific and objective data. Cybersecurity effectiveness can generally be divided into three areas. These include systems, incidents, and people.
What Metrics Should a Company Choose?
Establishing a few key metrics to determine cybersecurity effectiveness is a good place to begin. An organization will need to start by tying in their business goals with how increased security can help meet those specific goals. This would include establishing a company’s threat profile and identifying scenarios that would potentially cause the greatest impact to an organization. The following are examples of various metrics that can be used.
State Current Capabilities – An organization should be able to list their current security capabilities. What programs are in place? What exactly are they expected to do? How does the current program address each high-risk scenario that the organization may face?
List Vulnerable Assets – To understand the risk an organization incurs, it’s necessary to know the number of all vulnerable assets. This will enable a company to create a vulnerability management plan that will likely include scans of all appropriate assets. This will indicate what specific action, such as managing patches and updates, should be taken to improve security.
After a few general metrics have been established, a company will want to put in place those that are more specific. The following are just a few examples of specific metrics that can be used to assess the effectiveness of a cybersecurity plan.
Track Patching and Updates – Patch management is a critical aspect of addressing vulnerabilities in software. Companies will want to specifically track how many system patches have been put in place over a particular time period or how many updates have been installed. How often patching is completed can be compared to the number of incidents that occur within a particular time period.
Response Time – Keeping track of response times for a variety of incidents is a relatively objective and efficient way to measure overall effectiveness. How many spam messages have been intercepted? How many attacks from worms, viruses, or ransomware have been identified during a specific time period and how much time lapsed been identification and resolution? How long did it take to remediate vulnerabilities that are found in software?
Monitor Data Transference – Monitoring the volume of data that is being transferred will help an organization identify misuse. If employees are downloading videos, software, and applications that are unnecessary or potentially dangerous, this can open the door for malware.
How is the Company Comparing to Peer Performance?
Another way to gage cybersecurity performance is in relation to how other organizations in similar industries are doing. After deciding which metrics to use to determine security effectiveness, an organization will want to find out how successful other companies are in these areas. Comparing performance to other companies is also known as benchmarking.
How many security breaches have occurred when compared to other companies in the same industry of a similar size? How did they handle different types of incidents? What percentage of the budget is being spent on cybersecurity? These are just a few questions to ask when making valid comparisons. There are a variety of peer networking forums and online meetings that can be used when finding out how other organizations are doing when it comes to cybersecurity.
What Steps Can a Company Take to Address Gaps in Performance?
Finally, how an organization addresses gaps in performance will determine how effective their cybersecurity program will ultimately be. After metrics have been in place for a specified time period and then evaluated, the company will want to implement the following to strengthen weak areas.
Educating Employees – Ongoing employee training is the first, and for most organizations the most important aspect of cybersecurity effectiveness. Organizations need to have clear company policies in place that specifically address weaknesses and gaps that have been discovered.
Updating Systems – Whether it’s improving hardware security, automatically updating software, or creating a new firewall, a company’s systems must constantly be monitored and updated to improve cybersecurity effectiveness.
Ongoing Testing – Is employee education effective? Has the number of times employees have responded to online scams or clicked on a dangerous link decreased? Part of testing will be to record and analyze recovery time whenever an incident occurs. Cybersecurity effectiveness can be calculated by how much time lapses between the detection of a threat and when appropriate action is taken. An organization needs to find an objective method of calculating recovery time.
After completing the previous steps, an organization will now have a better understanding of how effective their cybersecurity program is and how it aligns with their overall business goals. They should also have a plan in place for improvement and specific ways to track and monitor improvement. Finally, it’s important to remember that assessing cybersecurity effectiveness is an ongoing process. This means it’s necessary to continually update and tweak the metrics that are used so they align with the ongoing security needs of the organization.
by Felicien | Feb 27, 2019 | Education
It doesn’t matter whether you are a 10-person team or a Fortune 500 conglomerate, relocating your office is going to take some planning and forethought. The last thing you want is to be forced to close up shop for an extended period, stalling your business due to unexpected issues.
Moving your office should signal growth to your client base; not chaos. So how can you take your business to the next level – and the next address? The key to a successful transition is preparation. You have a marketing strategy … a client care strategy … and a business building strategy … so why not a moving strategy?
Creating a Plan
It is never too early to start planning your big move. This means devising a plan for individual departments as well as the business as a whole. Remember, time is of the essence when it comes to moving an office. The faster you can get your new digs up and running, the faster your team can get back to work.
The first thing you need to do is to appoint a moving manager. This is the point man designated with coordinating the entire office relocation. This includes everything from packing up all necessary files and ordering new stationery to make sure every department has what they need to work on the go for a few days.
More than just a packing or moving expert, the relocation manager knows exactly what is necessary to get your office from point A to Point B with as little downtime as possible. Once you have a moving manager in place, it is time to begin assigning teams to handle individual aspects of the move.
Hire Professional Movers
Not every commercial moving company is equipped to handle large office relocations. Be sure to choose a company that understands the nuances of relocating a business. Remember, they will not be simply moving your desks and chairs from one place to another; they will also be responsible for securing sensitive files and making sure everything makes it to the new location safely.
Equip the IT Department Properly
One of the trickiest parts of moving an office is disconnecting and reconnecting quickly and efficiently. This can only be accomplished if your IT department has what they need to succeed. Here are some tips to create a hassle-free environment for them to work in:
Give the IT department at least three months to plan the transfer. This will include developing a step-by-step outline for the move.
Evaluate the new space well in advance of the move
Order upgraded equipment weeks before moving day to ensure everything has arrived
Coordinate all installations for several days before the actual office move
Make sure that all cabling is installed and tested prior to moving day
Move the IT department first. This will allow them to work to get the rest of the office up and running while boxes are still be brought to the new site.
Install and test all work stations prior to the first scheduled workday in the new office.
Relocating an office can be exciting, but that doesn’t mean the process is always easy, or that it will run smoothly. A lot of things can go wrong if you don’t plan properly, so be sure to follow the guidelines here to ensure that your staff isn’t stressed and your clients don’t feel abandoned during the move. When handled properly, you should be able to move the entire office and have everyone back to work within a day or two.
Moving soon? Contact {company} to arrange a complimentary consultation on how we can assist in the technology side of your office move. Call {phone} or drop us an email.
by Felicien | Feb 27, 2019 | Education
Managed IT Services is a transaction often required by businesses large and small in order to operate efficiently. It’s unfortunate that some owners and managers misinterpret the scale of services provided by a Managed IT Provider. To some extent, there is a contractual obligation toward the expected services, but there is also a simple limitation as to what the IT Provider is capable of doing for your company. Managing your network system, affording security to your records, or simply plugging in your new computer can all be aspects of what IT does, but it has to be contracted in order to hold an expectation of having a particular aspect of the job completed for you.
Contracts and Coverage
A common myth about contracted IT services is that “everything” is covered. No IT service provider is going to contract to enable the software your company uses and expect to spend a week developing your network. Likewise, nobody is going to contract to physically attach your hard components and then set up software for free. Although most IT people can do either job, they specialize. One person might run power cords to individual desks and set up the needs for a computer to run, another person will customize the individual computer to the needs of the job. Although either person can do either job, they don’t, so you need to describe to the Managed Services Representative which of their employees you need to hire to fill your needs and which services you plan to conduct in-house in order to find the right contract with the right specialists you need for consultation services.
Service Level Myths
Some companies offer tiered pricing platforms in the services they offer. To an extent, such offers allow individual businesses to choose what services they need, but at the same time, it has to be understood the provider is going to do their very best regardless of which pricing tier you choose. If you pay only to download new software, no legitimate provider is also going to install it for free, nor can a contract to install software be filled if the programs haven’t been bought and downloaded. No Managed Service can provide free service in addition to their contractual obligations, but it isn’t a myth that they will give you appropriate advice on how to meet your goals and needs.
Every IT Provider Is an Expert
Unfortunately, not everybody who offers IT Service is an expert in the needs of your company. A reputable Service Provider will tell you what they can and cannot do, and will have associates they can recommend toward the services you need which they don’t provide. It isn’t a myth that every IT Provider is an expert. They are, but they aren’t necessarily an expert in every aspect of the field. IT Services are a broad range of helpful ideas toward your company’s success, anyone who claims to be an expert in every aspect of those concepts should be viewed with skepticism.
Conclusion
IT Services are a necessary aspect of every successful business. Some IT work can be conducted in-house, but other jobs require an outside contractor. It’s important to understand what services are provided contractually and realistically as opposed to believing the myths about what an IT Provider can do for you before you hire them, and a reputable company will be prepared to answer such questions as part of their business proposition before you hire them.
by Felicien | Feb 26, 2019 | Education
Technology is the backbone of every business from, the smallest family-owned retail store to the largest international corporations. Companies everywhere depend on their technology to help them to reach their goals and stay competitive in a rapidly growing marketplace. However, when you combine the importance of technology with the reality that it is continuously evolving, you wind up with a major IT problem for many smaller businesses.
Keeping up-to-date with these changes used to require hiring costly full-time IT professionals, but not anymore. Today, an increasing number of small- and medium-sized local companies are enjoying the experience of IT professionals, without the expenses of having to pay for their own IT department. They are able to do this by outsourcing their IT needs to an MSP.
What is an MSP?
The acronym MSP stands for ‘Managed Service Provider.’ MSPs are specialized IT companies which offer their services and expertise to other businesses, usually through a subscription-based payment model. Businesses contract with MSPs to take care of a variety of different ongoing IT issues for them, including:
Deploying, maintaining, and updating servers;
Securing company data from hackers and other cybercriminals;
Monitoring and managing critical applications and websites;
Answering technical questions for employees and clients;
Installing maintaining, and safeguarding company e-mail, and
Providing data storage, regular backup, and recovery services.
Five Advantages of Hiring an MSP For Your Local Business
Lower your upfront costs. Purchasing and replacing technology doesn’t come cheap. Can your business justify the need for spending tens of thousands of dollars on its own servers and other hardware when you know just a few years down the road you will have to replace all of it. Using an MSP eliminates a large initial outlay of money and guarantees you never have to worry about upgrading your system in the future.
Reduce your costs. The average annual salary of an IT professional is more than $80,000 a year. That can be a significant strain on any company’s labor budget, especially if you don’t need a full-time, on-site tech expert. However, when you hire an MSP to take care of your company’s tech needs, you only need to pay a fixed monthly fee for the security of knowing you can still receive the same level of support you would get from a full-time employee at a fraction of the cost.
Become more competitive. Hiring an MSP gives your business instant access to much of the same technological resources that larger companies have, and your local competitor down the street probably doesn’t. That means your employees will be more productive and have the ability to provide better and faster service to your clients allowing you to grow your business quicker than ever before.
Lets you concentrate on your primary business. Your company is outstanding at what it does, but it just doesn’t ‘do’ tech. And why should it? You and your employees need to be focusing on what you get paid to do, and not having to worry about coming up with ways to find a workaround when your tech fails. Give your staff members the peace of mind of knowing that whenever they have an IT question, there is always someone who can help. One phone call to your MSP can get everything back up and running in no time.
Reduce the risk to your business. Hackers love to target smaller businesses for their perceived lack of security. In 2017, over 60 percent of US small businesses were victims. How secure is your company and are you doing all you need to do to protect your clients’ data from cybercriminals? Your MSP can help keep your data safer and ensure that your company complies with the most-up-date PCI security standards and other tech laws.
Not Ready To Completely Transfer Your Company IT to an MSP? Try a Hybrid Solution.
If you already have employees who handle the IT for your business, it doesn’t mean that you can’t benefit from having an MSP as well. Lots of companies decide to keep some aspects of their IT support in-house well outsourcing other tasks to an MSP. This arrangement allows your IT guys the opportunity to concentrate on mission-critical tasks why letting others worry about routine jobs like backing up data.
So, whatever the size of your business, or whether or not you currently have your own IT staff, managed service providers can be an essential part of your business plan.
by Felicien | Feb 26, 2019 | Education
What is ransomware?
Ransomware is an unusual type of threat because it holds your files for ransom while leaving your systems essentially otherwise operational. A piece of malicious software enters your network and applies an encryption algorithm to your computer files, rendering them unavailable. The files are still there, and you can see them in a file structure, but you will not be able to open them with any program. Additionally, ransomware affects not just the device you are using, but any connected storage devices and mapped network drives. As a result, this type of malware poses a serious threat to your information systems. One infected device can bring your operations to a standstill. The person or group behind the attack provides information as to how to submit a payment, and in exchange, they will provide the decryption key. The attackers demand payment in some form of cryptocurrency, in order to maintain anonymity.
Some victims of ransomware attacks have not been confident in the integrity of their data backups and have paid the ransom to obtain the decryption key, and others have paid the ransom and obtained a key which did not decrypt the files. Both situations can be very expensive to your business.
How does ransomware gain entry to my network?
The purveyors of ransomware can inject the malware into seemingly innocuous documents, like invoices or estimates, or they can use internet links in an email to direct a user to a site that automatically starts a download and installation of the program. Documents containing macros provide an excellent opportunity to run the installer package without requiring direct interaction from the user. Some forms of ransomware take advantage of unpatched and unsolved vulnerabilities in the configuration of your devices and systems.
What are the most effective steps I can take to protect my business?
1. Deploy updates and patches in a timely manner. The operating system and application patches should be tested as soon as they are available, and applied to your systems as soon as your team can verify compatibility. Patching vulnerabilities will reduce the number of ways ransomware can execute itself in your systems.
2. Ensure that your technology team has an effective backup and restore process, and that they are able to fully test a restore from backup. Having a backup and restore procedure that you have validated will allow you to return your business to normal without paying an exorbitant ransom, still running the risk of not being able to decrypt the data.
3. Know the devices on your network and implement the same security procedures on any employee-owned devices touching your network that you have implemented on your business-owned devices. Maintain separate profiles on mobile devices, if possible, allowing only the business-facing profiles access to your network.
4. Disable SMB v1 on all devices on your network. SMB v1 is an outdated protocol and was the window that the creators of WannaCryRansomware exploited a few years ago. There may be some favorite processes that fail with the disabling of this protocol. If this is the case, you will need to perform a risk assessment against the cost you will incur with a ransomware attack.
5. Ensure that all your employees understand the hazards of active content like macros, and that they exercise caution in using them. Train them as well not to execute macros on documents received from external sources. Common documents like invoices do not need macros enabled, and in fact, such documents should be saved without active content before sending. If necessary, ask your vendors to send only documents without active content. Ensure as well that the appropriate teams understand the billing and payment cycles, and that they become suspicious of out-of-cycle documents and requests.
6. Train employees to be extremely cautious about clicking on links in emails. Messages with links unrelated to your line of business, messages themselves unrelated to your line of business, and messages with spelling and grammar errors should raise suspicions. Your employees should also not use links in emails to connect to websites of business contacts unless the employees have verified with the sender that the link is expected, and an explanation of the necessity of the link. When calling contacts to verify the validity of links in emails, employees should use their own contact source, such as a corporate address book, rather than a phone number in the message that contains the link. A message with a malicious link may also contain a compromised phone number.
Can I recover from a ransomware attack?
Possibly, but it will not be a pleasant process. Your best chance of recovery is a restore from a backup, and you will lose the records of transactions that occurred since the last iteration of your backup process. As explained above, paying the ransom may or may not produce a working decryption key. Attackers inexperienced in encryption and decryption have provided decryption keys which failed to release the files back to the owner. Prevention is going to serve you much better than hoping for a recovery, so take the necessary steps now to reduce the likelihood of infection.