by Felicien | May 13, 2019 | Education
The security of user data is of high importance, and that importance only grew with the implementation of the EU’s General Data Protection Regulation (GDPR). These sweeping new regulations went into effect on May 25, 2018. They are European Union regulations, but they have sweeping effects since they apply to any business that stores personal information of any EU citizen.
It’s important to comply with GDPR. The first step, though, is to understand what exactly GDPR requires for your business.
PII Under GDPR
The short answer to the question of what PII is under GDPR is that it’s not a thing. Personally, identifiable information is an American term. The rough European equivalent is personal data. It’s important to note, though, that the two are not identical. The European standards are more restrictive, and the European category (personal data) is, therefore, more inclusive.
Here’s the bottom line: don’t assume that if you’re PII compliant that you’re automatically GDPR compliant. You need to do more for the latter.
Defining Terms
If you’re asking the question “what is PII under GDPR?” there’s a good chance you know some of the lingo already, but it’s worth reviewing.
Personally Identifiable Information (PII)
This term refers to any number of pieces of information that a company might store that can be used to identify individuals. Bad actors who accumulate enough PII on an individual may be able to compromise the individual’s accounts or even steal the individual’s identity. Examples of PII include (but aren’t limited to) driver’s license numbers, social security numbers, full names, physical addresses, and credit card numbers.
Remember, this is an American term, not a global one.
Non-Personally Identifiable Information (non-PII)
Non-PII is what’s left that’s not PII, in the American way of viewing things. This is the kind of information that can be used in aggregate forms. It’s useful data, but it can’t be used to identify individuals on its own. Examples include IP addresses, device IDs, and cookies left behind on devices while browsing the web.
Personal Data
Personal data is the EU equivalent of PII. It’s the information that businesses store on customers that could be used to identify those customers. The important difference here is the breadth of the definition.
GDPR concludes that even non-PII can be personal data. Cookies and IP addresses, for example, can be used in conjunction with PII to help reconstruct a person’s identity. For this reason, even these forms of information are considered personal data and are protected under GDPR.
The ruling that even cookies can be considered personal data is why you’ve started seeing cookie warning messages all over the internet. Those companies are seeking to comply with GDPR by receiving permission from all visitors to use cookies.
Best Practices for Businesses
Given the changing landscape of privacy regulations, businesses must adapt and stay compliant. Here are a few best practices for complying with GDPR.
Survey What Data You Collect
The first step toward compliance is to know what your business is collecting. Conduct a comprehensive survey of the data that you collect and store through your site.
Keep Only What You Need
Second, ask the hard questions about what personal data your business truly needs. If it’s not providing real value, dump it.
Get Permission to Keep It
Whatever you decide is essential, ask permission to keep it. That’s what the cookie notices are doing, and you need to do the same.
Conclusion
Data privacy regulations are complex. You might not want to go it alone. If not, we’re here to help. Contact us today!
by Felicien | May 13, 2019 | Education
The career-centered social media network LinkedIn is the latest victim of phishing efforts on the part of cybercriminals—demonstrating that no organization, no matter how big, is immune to such threats. The phishing attacks are tailored to what LinkedIn users are most likely to be interested in and seek to obtain valuable information from victims. What makes these attacks most concerning from a business perspective is that many LinkedIn users are logging in with their corporate email accounts. When the cybercriminals succeed in getting the information they want, they can gain access to the information of not just the immediate victim, but the organization they work for as well.
Cybercriminals Targeting LinkedIn Users
According to the Security Awareness Training company KnowBe4, a new wave of cybercrime is hitting the LinkedIn community to gain valuable corporate information. Cybercriminals are attempting to get employees to fall for phishing emails—emails that encourage recipients to click a link that leads to a request for confidential information.
The phishing emails are designed to appeal to the personal interests of the recipients, a common tactic with phishing attacks. The goal is to excite the recipient enough that they forget to be cautious. According to KnowBe4, the most popular type of phishing email is one that has LinkedIn in the subject line. Messages from LinkedIn are opened around 50% of the time, so it makes sense for the cybercriminals to use what is most likely to work. They know that around one in two users will open an email that appears to be from LinkedIn, so they tailor their phishing emails accordingly.
Particular Concern for Those with Business Responsibilities
When a phishing attack succeeds against an average person, their personal information and financial information is at risk. But when a phishing attack succeeds against someone who has responsibilities at a business, and therefore security access to protected information of the business, it can lead to damage that harms the business and all of its employees. No one deserves to be the victim of a phishing attack, but there are individuals who, if compromised, can deliver information that will harm more than just one person.
It is predictable that the ones that cybercriminals want most to fall for their LinkedIn phishing attacks are those with higher security clearance in businesses. They know that they could strike a gold mine if they get the right person, with the right information, to fall for one of their phishing emails. That is why they are so devious in the way that they construct their traps. They look closely at the areas of interest of their targets to ensure that they have the highest chance of success.
Areas Where Cybercriminals Focus on LinkedIn
Not just any phishing email will lead to a click from the reader. To get the desired result, cybercriminals must create the kind of emails that recipients are most likely to fall for. KnowBe4 actually conducted tests on LinkedIn to determine which types of emails recipients would click the most often. As mentioned earlier, the most successful phishing emails included LinkedIn in the subject line of the email. According to an article from ChannelFutures, once the recipient looked at the email, they were most likely to click on emails that had the following in the subject line:
Profile Views
New InMail Message
Join my network
Add me to your network
It makes sense that these subjects would attract the most clicks. They all indicate an interest in the recipient, specifically the kind of interest that could lead to an excellent networking opportunity. A desired employer or contact might have looked at their profile or sent them a message. Even better, they might have requested that the recipient become part of their network, or that the recipient allow them to become part of their network. All four subjects target those who are using LinkedIn to further their careers, which explains why they were so successful.
What Can LinkedIn and Users do to Fight the Problem?
For LinkedIn, the risk of phishing scams and cybercrime is and has always been present. As the company has grown, they have been well aware of the dangers that cybercrime poses to their business and their users. That is why, as with all other major social media platforms, LinkedIn has a dedicated team to identify cybercrime on their platform and to do what they can to fight it. However, there is a limit to what LinkedIn’s dedicated security team can accomplish on their own. Once a platform has millions of users, there will always be criminals who can slip through the cracks. LinkedIn will not be defeated by cybercriminals as a platform. However, the platform’s users do need to be aware of the risks they face.
For businesses, it is best to avoid relying on LinkedIn to keep them and their employees totally secure. Companies have to accept that from time to time, their employees will be targeted by cybercriminals. That is why employee awareness training is so necessary. Businesses must train employees to be aware of the risks of cybercrime, including phishing emails. If you are worried about your employees falling for a phishing scam, consider training them in the red flags of social engineering.
To learn more about cybercrime risks and how to avoid them, please contact our IT services team. We can help you protect your employees and your business.
by Felicien | May 13, 2019 | Education
If you’ve seen the acronym PII in the news or in trade magazines, you may have questions. What is it exactly, and what is the danger surrounding it? Today’s tech blog post answers these questions and more.
What Is PII?
PII stands for personally identifiable information. Personally identifiable information (from here on, we’ll just use PII) is information tied to an individual that can be used to identify that specific individual. The term usually comes up in discussions of internet security and identity theft. Most everyone in the developed world has plenty of PII. Name, race, address, age, physical description, and even photographs can be PII. So can social security numbers, credit card numbers, email addresses, usernames, and passwords.
Is PII a Bad Thing?
No, PII isn’t bad. Some of it (like name, age, and physical description) is directly tied to our core identities. Much of it is the currency by which we live our lives. You need usernames and passwords to exist on the web, and you need social security and bank account numbers to exist in the financial marketplace. These elements aren’t bad, but they can be problematic.
Then What’s the Problem with PII?
The problem with PII is that if a bad actor (like an identity thief) accumulates enough of a person’s PII, the bad actor can compromise accounts or even steal the person’s identity. While PII isn’t a bad thing, people must do what they can to rein in access to their PII.
Is All PII Created Equal?
No, it’s not. Some items are more valuable (or sensitive) than others. If all a bad actor has to work with is your full name or a photograph, he or she isn’t going to be able to do much. Similarly, if someone gets ahold of your credit card number by itself, it’s almost useless. Some PII, like social security numbers, are more valuable even on their own.
The real problem is accumulation. Thieves can do a lot of damage if they manage to match up a name with the correct social security number. The more PII they add, the more damage they can do.
How Accumulated PII Facilitates Identity Theft
The fuller an identity a thief can build, the more serious damage the thief can inflict. Knowing your name and address accomplishes little on its own. Add in a bank account or credit card number and the last four digits of your social, and now the thief may be able to sweet-talk a customer service representative into issuing a new card or approving a transfer.
How Thieves Accumulate PII
Some PII (usually from significant data breaches) is available for purchase on the dark web. Some of it gets stolen using social engineering or phishing. In too many cases, a considerable amount of PII is freely displayed on a victim’s social media account. If “Where did you go to high school?” is one of your bank account security questions and the answer is freely displayed on your Facebook profile, you’re setting yourself up for ID theft.
Keep Your PII Safe
Much of keeping control of your PII is common sense. Limit what you share on social media, and don’t give away account numbers or your social security number when it’s not necessary. These small steps will go a long way to protecting your PII.
Does your organization need additional help managing PII? Contact us today!
by Felicien | May 10, 2019 | Education
If you’re trying to figure whether Microsoft Office 365 is right for you, then migration should be one of your primary concerns.
When it comes to a cloud-based suite like this, migrating to Office 365 from your current IT environment is no small task.
That’s why you have to be sure you know what you’re doing.
Before we get to the 6 steps you should follow for a perfect Office 365 migration, let’s make sure we’re on the same page about what it actually is…
What is Microsoft Office 365?
Microsoft Office 365 is a subscription-based service that enhances Microsoft applications like Word, Outlook, PowerPoint, and Excel with the flexibility and accessibility of the cloud.
There are two primary ways that this platform breaks down – the web-based and premium desktop versions:
Web-Based Microsoft Office 365
The web-based Microsoft Office 365 Business provides users with online (browser-based) access to all their range of favorite Microsoft Office apps:
Word (word processing)
Excel (spreadsheets)
PowerPoint (presentations)
Outlook (email)
OneNote (note-taking)
OneDrive (file hosting and synchronization with 1 TB of storage)
Access (database management, for PCs only)
Premium Office 365
The Premium desktop-based alternative gives users a range of enhanced and advanced features:
Exchange (mail server and calendaring management)
SharePoint (website building tool to share, organize, store and access information)
Teams (a tool for collaboration, meetings, chat, and communication)
Planner (task and teamwork management)
Invoicing, booking and business intelligence tools
Customer relationship management functions
Yammer, Microsoft’s social media platform that enables users to collaborate and connect with each other
However, that’s really just the beginning as to how the many tiers of Microsoft Office 365 plans break down…
What Microsoft Office 365 plans are there, and what do they cost?
As a flagship offering from Microsoft, Office 365 comes in many shapes and sizes. So many, in fact, that you might not know where to begin.
The following list breaks down the many primary plan types offered for Microsoft Office 365, what they include, and how much they cost.
For each plan, these prices refer to a per-user basis, per month. To figure out what it would cost you, simply count the number of users you need to add from your business, and you’ve got your monthly cost – that’s easy to compare against your IT budget.
Exchange Plan 1 – $4.95 USD per user per month
Essentially just the email client aspect of the much larger Microsoft Office 365 platform, this plan includes:
Secure corporate email
50 GB of inbox storage per user
Sent messages up to 150MB
All inbox management features available – sharing calendar dates and contacts, out of office messages, web-based email support.
SharePoint Online Plan 2 – $8.95 USD per user per month
Primarily designed as a file sharing and storage plan, this plan features SharePoint and OneDrive, as well as:
Unlimited personal cloud storage
Real-time co-authoring of files in the Microsoft suite of apps
Centralizing and indexing of the user’s content in libraries and lists with metadata records management, and retention policies
SharePoint mobile capability
In-Place Holds that allow users to preserve content from edits or deletion
ProPlus – $12.95 USD per user per month
In addition to Microsoft Outlook, Word, Excel, PowerPoint, Access (PC only), Publisher (PC only) and OneDrive (1TB storage), this plan includes:
Web-based and desktop versions of the above Microsoft applications
Skype for Business client (service not included)
Licenses for an unlimited number of users
Enterprise E3 – $21.95 USD per user per month
Including all the applications, services and features of ProPlus, this plan also provides:
File storage and collaboration with OneDrive and SharePoint
Additional apps and services listed under the Premium suite above, such as Microsoft Teams, Yammer, and Stream (providing users with the ability to stream video to team members and other contacts)
Email hosting with 100GB of inbox storage and custom email domains
Unlimited personal cloud storage
Online video conferencing for up to 250 attendees
Online meetings for up to 10,000 attendees through Skype Meeting Broadcast or Microsoft Teams live
Business Essentials – $7.95 USD per user per month
An even more business-focused plan, this offering includes:
Mobile installation of Office apps (up to 5 devices per user)
Outlook email (50 GB of inbox storage per user and sent messages up to 150MB)
OneDrive for Business (1 TB of cloud storage per user)
Microsoft Teams
HD video conferencing
Yammer collaboration software
Office online (browser-based suite of Office apps)
Planner (project management platform that allows staff to plan projects, assign tasks, share files and communicate)
Microsoft Flow (workflow automation app that allows users to automatically configure notifications, sync files, collect data without having to code the process)
PowerApps (app development platform that allows users to build business-specific web and mobile apps)
Business Premium – $14.95 USD per user per month
In addition to the complete desktop and online Office 365 suite of applications (Outlook, Word, Excel, PowerPoint, Teams, OneNote, Access [PC only], Publisher [PC only], Sharepoint, and OneDrive), this plan offer includes:
Business management and CRM tools – Outlook Customer Manager, Bookings, Invoicing and MileIQ
The range of online services offered in lower-tier plans like ProPlus and Business Essentials
Business – $20.00 USD per user per month
As the most commonly recommended plan for businesses, Microsoft Office 365 Business includes everything Business Premium has to offer, plus:
Enhanced security features such as attachment scanning and link checking for email, Information Protection Policies that add controls over how info is accessed, and data backup features that keep your information accessible
Device management features, fully integrated with iOS, Android and Windows, that allow for simple deployment and management of Windows on your mobile platforms
So that’s what these plans include – but obviously, that’s not all you need to know to make your decision.
There’s another key question…
What about Microsoft Office 365 migration?
Now that you know more about Microsoft Office 365, you may be interested in seeing what it can do for your business firsthand.
Unfortunately, it’s not that simple.
If you’re not already using Microsoft Office 365, then you have to figure out how to migrate to it. Migrating from one business technology to another isn’t necessarily a simple process.
Before starting on the step by step process, make sure you have these three key aspects of prepared:
List of Users
Keeping careful track of how many users you have and what they need to do will make migration much smoother than it would be otherwise. The last thing you want to do is overlook a user here or there and find they can’t access the system after launch because there weren’t enough licenses or log-ins arranged.
Temporary Passwords
While you sort out the details of your new Microsoft Office 365 environment, it’s smart to work with temporary passwords. That way, it’s easy to test the environment without issuing official credentials and log-in info.
Domain Registrar Information
This is especially important for Microsoft Office 365 migrations – why? Because email is a central facet of Office 365. In order to ensure seamless changeover between your previous email client and Microsoft Outlook, you’ll need complete information on your domain registrar.
The 6 Step Process To Microsoft Office 365 Migration
Planning makes all the difference between a successful migration and a disastrous one.
Follow these steps and take your time to execute an effective migration:
Plan ahead.
When preparing for your migration to Microsoft Office 365, it’s important to plan efficiently and thoroughly.
The best way to achieve this is with an actual meeting with those who are involved in the process. You should talk through a number of key factors both in the migration, such as:
Why are we choosing to migrate?
What benefits do we expect to gain from migrating?
How will our infrastructure change during migration?
How will the user experience change after migration?
How will we train staff members on using Microsoft Office 365?
This is an especially vital step because, if you don’t have answers to these questions, then you probably aren’t ready to migrate.
Knowing how to answer these questions means that you can avoid common pitfalls and hit the ground running with your new IT environment.
Furthermore, you’ll want to make sure your entire staff understands what migration means for their work. What kind of downtime will they encounter, what are the benefits they will have access to once it’s complete, etc.
Plan for your infrastructure.
The new Microsoft Office 365 environment will be built on the foundation that is your infrastructure, so you better make sure it is up to the task before you start.
Infrastructure-based considerations should include:
Bandwidth: You should assess your bandwidth to zero in on exactly how many concurrent client machines are connected to the network at any one point in time. In theory, your bandwidth should be able to support at least that many concurrent machines running Microsoft Office 365, which dictates that necessary network segments and connections you’ll need.
Hardware: Migration is a great opportunity to take stock of your hardware. For example, in your new environment, will you need a server dedicated for Skype for Business? That depends on how heavily you plan to make use of it. This is the type of question you need to answer (and do something about) before you migrate, and not after.
Software: As Microsoft Office 365 provides virtually all the software you could possibly use, there isn’t too much to take stock of in your old environment.
However, if you and your staff currently use mail-enabled applications that you’re fond of, or that are so specific to your business and industry that you’ll need them post-migration anyway, then you need to make sure they are compatible with Exchange Web Services.
Equip yourself with a deployment tool.
The good news is that you won’t have to handle much of the migration process all on your own. Microsoft offers a Deployment Readiness Tool to help users plan out the many aspects of a successful migration – primarily, environment discovery.
This tool can analyze and gather info on your IT system’s Active Directory and domain settings, helping to take stock of your Exchange, SharePoint, End User environment and Skye for Business settings. In addition to the app-based features, the Deployment Readiness Tool will also log your network configurations and settings so that they are carried over in migration as well.
Furthermore, Microsoft also has an Assessment and Planning Toolkit. While it is not designed specifically for Office 365, it is useful for discovery and inventory of cloud services and applications. If you’re migrating from a cloud-based or hybrid environment, the Assessment and Planning Toolkit will likely be a useful aid in determining what you need to keep track of.
App-specific planning.
While much of Office 365 will migrate seamlessly from one version of Microsoft Word or Excel to the next, there are a couple of Microsoft apps and service that will require further attention when you migrate:
Sharepoint: Prior to connecting to Sharepoint, there are a few steps you’ll need to take through the Administration Center. Primarily, you’ll want to double check global site collection settings, Internet, Intranet, and Extranet settings, user profiles, and MySite. In each of these cases, you’ll want to be sure that their settings match those of your current environment. The default settings in Sharepoint may not match your current ones, so take the time to verify before you start sharing business data.
Skype For Business: If you and your staff intend to use Skype For Business, particularly public Instant Messaging, then you’ll need to make sure your staff knows how. Specifically, Windows Live is supported for public IM in Skype for Business, but Yahoo is not. Furthermore, this is separate from on-premises IM. In both cases, your staff will need to know how it works in order to get the most out of it. If you intend to use public IM, you may need to migrate from Yahoo entirely.
Lay out the end-user experience.
Once you’re done migrating, you’ll want your staff to be able to hit the ground running, right?
Then make sure they can actually do so before you start the migration. This means making sure the browsers they use are supported for web-based office 365, and the operating systems they use are supported for the suite:
Supported browsers: Internet Explorer, Mozilla Firefox, Google Chrome
Operating systems: Microsoft Office 2010, 2007 SP2, 2008 for Mac, Office Web Apps
It’s time to migrate.
Now that all the groundwork has been done, you’re ready to migrate.
Remember, there’s no rushing this process. If you want it to be effective, and if you want your new Microsoft Office 365 environment to work as planned, then be patient and follow the steps carefully.
Is Microsoft Office 365 right for you?
Depending on what you do for business, how large your organization is, what your budget will allow, Microsoft Office 365 may or may not be the right choice. Only you can decide for sure.
If you do believe that Microsoft Office 365 will have a positive effect for you, then make sure to carefully plan your migration. Regardless of whatever benefits it may bring you, a poorly planned migration is not worth the trouble it causes.
