by Felicien | Dec 27, 2018 | Education
If you own or manage a small business, you’re undoubtedly concerned about how to keep your customers’ personal and your business’ proprietary and financial information secure. While you may not think that you have much to steal, since you are a small operation, a cyber thief misappropriating your customers’ credit card and bank account information could cause your business and its reputation to take a big hit. It’s not an exaggeration to say that such a breach has the potential to put you out of business. One surprising resource for tips on keeping your information safe is the U.S. Department of Homeland Security.
What you can learn from Homeland Security about cybersecurity
According to the U.S. Department of Homeland Security, nearly half of all small businesses will be the victim of cyber theft, and each incident costs the company an average of $9,000. This government agency has a wealth of information to help small and medium-sized businesses prevent such criminals from invading their computer databases. They offer a toolkit to help smaller enterprises assess their risk level as well as more than a dozen downloadable resources. They also provide a list of tips to help business owners and managers prevent cybercrime.
Tips for combating cyber theft
The Department of Homeland Security recommends that all businesses take at least these necessary precautions:
1. Install an anti-virus software program and update it regularly.
2. Make sure your WiFi network is secure by using a firewall and encryption software.
3. Set up company systems and procedures to keep sensitive information safe.
4. Educate your employees about how to keep data safe and then hold them accountable for any breaches.
5. Require that your employees create strong, unique passwords and that they change them often.
6. Spend a little money on data loss protection software. Use encryption to protect data you are sending out of your network, and use two-factor authentication, whenever possible.
7. Protect all of your website pages that are accessible to the public, not just the checkout or sign in pages.
To learn more about cybersecurity and how you can keep your company’s and your customers’ sensitive information protected from cybercriminals, give us a call at {phone} or send us an email at {email}. That way you don’t have to worry about remembering all of these tips; we’ll take care of it for you and allow you to concentrate on your customers.
by Felicien | Dec 27, 2018 | Education
Many business owners don’t realize that new laws are in place surrounding data breaches. On November 1st, 2018, these new laws went into effect for all Canadian business owners. These laws will affect thousands of businesses now, so it’s essential for all business owners to be aware of the changes and be prepared to comply. If these laws are not followed, businesses could be fined up to $100,000.
Breaches Must Be Reported to the Government
If you collect customer data such as banking information, legal or health info or such things as SIN’s, and your database is breached, you must report this to the government. The new law outlines reportable breaches like those that create “a real risk of significant harm to individuals.”
How Will These Changes Impact My Company?
You must report a breach like this to the Office of the Privacy Commissioner of Canada, along with the individuals who were affected. All those whose private legal, health or financial information was lost must be informed. They need to know precisely what information was lost, how many records were impacted and what caused the breach.
Companies must also show that they have taken the appropriate measures to prevent future breaches. If the prescribed steps are not followed correctly, the company can be heavily fined. In many cases, data breaches also damage the company’s reputation and affect consumer trust.
What Are The Specific Laws Changing?
This new law governing data breaches is not a stand-alone law. It’s an amendment to PIPEDA, the Canadian Personal Information and Electronic Documents Act. For a summary of Canada’s privacy laws, please visit here. The specific laws related to digital information can be found here. It’s important to understand and comply with both.
Many experts have pointed out that the wording in PIPEDA does leave room for interpretation. It covers situations where “…it is reasonable in the circumstances to believe that the breach creates a real risk of significant harm to the individual.” This wording is somewhat vague and may be interpreted in various ways by the Canadian courts.
Steps to Follow If There’s A Breach
Below, is a brief outline of the steps to follow if you experience a breach:
The nature of the breach and what specific data was stolen
What your organization has done to reduce risk and harm
How those affected can protect themselves and reduce their risk
Information about the organization’s contact information
The procedure for filing complaints
How Did the Breach Occur?
Once the source of the breach has been identified, the vulnerabilities must be repaired. Some breaches occur due to employee carelessness. Perhaps an employee clicked on a link in a phishing email. With so many workers now using their own devices, this opens the door to breaches if a device is lost or stolen. The way to handle this issue is with a Remote Management and Monitoring (RMM) program. This can be set up and managed by {company}. This offers multiple benefits including:
Compliance to regulations
Remote wipe if a device is lost or stolen
Find my device technology
Application management such as updates and patches
{company} can monitor and manage all your technology on a 24/7 basis. With Managed IT Services you can prevent downtime and keep your technology running smoothly. We can notify you of areas where we believe your database might be at risk and suggest ways to repair this vulnerability.
Other Ways to Mitigate Vulnerabilities
Having data stored and managed in the cloud is a good method of decreasing your company’s liabilities. The cloud offers many benefits including better security, scalability, plus it’s flexible and allows your workforce to be mobile.
How To Protect Your Data From Intrusion
With hackers around the world now scaling up their attacks, businesses must be thoroughly prepared. Simple firewalls and antivirus software are no longer enough. Most security experts recommend a layered approach to security. Follow these guidelines to protect your data from future data breaches:
Policies-Create and enforce security policies for your company.
People-Make sure your employees know what a phishing email looks like. Most workers need periodic regular training in this area, so they don’t get careless.
Technology-Make sure you have the right technologies in place to prevent a cyber-attack from occurring in the first place.
In Conclusion
Canadians want to know how their personal information is being used. And they have a right to know what information is being collected and how it’s being used. In the future, these laws will most likely get even more strict for several reasons. Data breaches cost companies around the world billions of dollars each year. Cyber thieves are becoming more and more clever. They have fine-tuned their approach and figured out how to get people to open phishing emails. They can mimic the look of major companies like Spotify, Paypal, Apple and Microsoft. Ransomware scams have been highly successful and hackers are often able to earn thousands of dollars per day by taking over a company’s database and then threatening to destroy all the information unless a ransom is paid.
What Can You Do?
There are numerous ways to protect your data from a breach. {company} can help you assess your current security protocols and create stronger measures. We can also advise you on how to proceed if a data breach has already occurred. It’s essential to determine exactly what happened and notify those affected along with Canadian authorities as quickly as possible. By waiting, you risk hefty fines and your company’s reputation could be ruined.
Things like Proactive Monitoring can help. We will continually scan and track the stability and security of your IT system for maximum uptime identifying any security issues.
by Felicien | Dec 26, 2018 | Education
The new year is already upon us, but it is not too late to put together a solid, sensible information technology plan for 2019. Strategic planning in all areas of operation—including technology—helps organizations budget for and efficiently manage day-to-day requirements while investing in long-term projects and solutions.
As your business evolves, so will it’s IT requirements. Likewise, as technology advances, your company will also have to adapt to stay viable and competitive. For 2019, your top concerns regarding technology likely will include:
Upgrading software
Making data and systems more secure
Preparing for structural changes
Responding to threats and emergencies
Supporting business growth—locally, nationally, and/or globally
A vigorous technology plan should address these concerns, as well as those unique to your business and industry, and provide a framework to guide IT-related decision-making, prioritization, and task-implementation. If you have not yet started, here are a few ideas for how you can start putting together a robust technology plan to support the success of your company in 2019.
What should a technology plan account for?
Anticipated changes within your company may impact what items are necessary for your strategic technology plan to address for 2019 and the years beyond. Having a clear picture of where your company or organization is headed will help make it easier for you and other members of the IT team to determine which new technologies and upgrades are necessary and/or preferable for your specific business strategy. For instance, you should consider whether your organization plans to add or eliminate a notable number of employees within the fiscal year. Another question to address: Are you are planning to acquire any additional companies or provide new products or services? All these considerations will factor into your technology requirements. As you determine which new software, hardware or other IT solutions you may need in 2019, make sure they will integrate well with your existing IT environment.
Additionally, your technology plan should include arrangements for support services, including installation, maintenance, upgrading, and troubleshooting. Most business operations for companies across a range of industries are severely limited when technical issues arise, making it vital for you to preempt possible IT disruptions and have a plan for dealing with them.
How can companies deal with IT security threats?
It is common knowledge that cyber-security threats are continually evolving, along with the IT defenses needed to prevent and mitigate the risk. According to the Information Security Forum, an independent research organization, companies should stay well-informed about emerging technologies and corresponding threats to position themselves to make the best business decisions.
Information Security Forum’s Threat Horizon for 2019 reports on nine major threats that companies should expect to face in earnest over the coming year or two.
The first category of threats pertains to disruption from an over-reliance on fragile connectivity. The cyber-security threats in this category include:
Premeditated Internet outages
Hijacking from ransomware
Privileged insiders aiding in cyber-attacks
The second category covered by the Information Security Forum’s report deal with distortion, which occurs when trust in the integrity of information is lost. The risks in this category include:
Automated misinformation gaining undue credibility
Falsified information compromising performance
Subverted blockchains
In the third and final category are threats that have to do with deterioration, or controls eroding because of regulations and technology. These threats include:
Surveillance laws exposing corporate secrets
Privacy regulations impeding how organizations monitor insider threats
Overly enthusiastic deployment of AI (artificial intelligence) leading to unexpected outcomes
The proliferation of smartphones, tablets and other mobile devices being used in professional environments only increases the amount and varies the types of cyber-security risks that companies face. As a business of any size, your goal should be to protect your systems and networks from data loss or malicious attacks, both internal and external.
Should you invest in Cloud technology?
Compelled by factors such as profitability, efficiency, and gaining a competitive advantage, about 71 percent of small-to-medium-sized businesses (SMBs) intend to increase their investment in cloud-based technologies in 2019, according to survey data from Bill.com, a company that creates digital business payment solutions. The three primary areas for anticipated investment, according to respondents, include marketing software, sales software, and payments software. Cloud computing allows for streamlined operations, connected through a sort of virtual office accessible to employees and clients. While it comes with some risks, especially about privacy and security, cloud technology is definitely trending for the capabilities it provides, such as flexibility, potentially lower IT costs, collaboration efficiency, access to automatic updates, and business continuity.
Bill.com’s Chief Marketing Officer Yael Zheng reportedly stated, “These businesses are now developing a clear understanding of how technology can help them streamline processes and ultimately power business growth, which I anticipate will lead to even more investment in the future.”
As you put together and implement a technology plan for 2019, consider whether further embracing and investing in cloud-based technologies can help propel the growth of your business.
What changes are coming to Windows?
Beware: Jan. 14, 2020, is an essential date for Microsoft users for a couple of reasons. At that time, Microsoft will end support for Windows 7 software systems, as well as Windows Server 2008 and 2008 RS. If you have not already formulated a plan to upgrade to Windows 10 systems and new server technologies, 2019 is your opportunity to do so. Microsoft’s options for new server systems include upgrading to Windows Server 2016 or migrating your company’s workloads to Azure. Replacing outdated software and server systems is critical to protecting your infrastructure, applications and information. Even as early as April, your outdated Microsoft system may not receive critical security fixes, as new systems are moving over the to the more secure SHA-2 algorithm in the future. Keep in mind this transition may take some time, making it imperative to start the process sooner rather than later.
Is technology planning an easy goal to accomplish?
As the year progresses, you may have to work with IT consultants and other department heads within your company to update or tweak your technology plan to address unexpected costs and events or to take advantage of current opportunities in the marketplace. Once you start a project outlined in your plan, you may also have to adjust cost estimates or deadlines to have a more realistic framework to guide progress. Just because adjustments might need to be made down the road, however, that does not negate the prudence and benefits of engaging in a formal strategic planning process at the start of the year. Doing so can help you optimize IT spending and proactively invest for the future, creating a culture of continuous improvement rather than merely trying to stay on top of day-to-day technology needs.
From the get-go, and along the way, your organization should take advantage of the knowledge and expertise of IT consultants and advisors who are more well-versed on current market trends, innovative technologies, and emerging cyber-security threats.
by Felicien | Dec 26, 2018 | Education
Data breaches and phishing scams are becoming more popular among cybercriminals. There have been so many data breaches, in fact, that the chances that some of your private information has been discovered by online scammers and sold to other ones are pretty high. One of the most significant data breaches in recent years (that has been discovered….many large ones haven’t been discovered yet) was at Anthem Blue Cross/Blue Shield. If you are concerned you may have been a victim of that particular data breach, there are some things you should know, as well as things you can do to minimize the damage to your credit and identity you may have experienced.
Anyone who has been a customer of Anthem Blue Cross/Blue Shield in the past decade is a potential victim of this data breach, and should thus take some steps to do damage control, whether they have noticed anything odd in their credit report or use of personal information. Potential victims also include those who used the Blue Card in any area affiliated with Anthem during that period.
It is not only a data breach at Anthem that should be of concern to current and past customers. Anthem has also issued a warning about a phishing scam mimicking calls and emails from their company. The scammers will ask for personal information when they contact you, such as Social Security numbers and credit card numbers, which are all things Anthem never asks for in these ways. They will never ask for this information as a means to identify you.
Anthem has been working closely with a well-known and well-respected security firm called Mandiant to mitigate the damage from the data breach and phishing scam. It has also been working in close conjunction with the FBI to discover more about the origins of the data breach, which was discovered in January of 2015.
In the data breach, the following things were stolen from Anthem’s customers:
Names
Dates of birth
Social Security numbers
Home addresses
Personal email addresses
Employment information
Income
Anthem health ID numbers
Anthem is offering current and former customers who may have been impacted by the data breach two years of free credit monitoring and credit repair services if needed. Most of the customers who have or may have been affected by the data breach were sent letters in February. The letters let customers know about the breach, how it may impact them, and that it took place across several weeks in December of 2014. The letter also warns current and former customers of the phishing scam that is ongoing.
Anthem is particularly calling out to customers in the letter to let them know that they are not phoning or emailing them about the data breach, and are not asking for any credit card numbers or Social Security numbers over the phone.
In fact, the phishing scam appears to be attached to the data breach, either being done by the people responsible for the data breach, or by people taking advantage of it. The scammers behind the phishing scheme know about the data breach and are using people’s concerns about their personal information being involved in it to get them to give their most sensitive information in a belief that Anthem will use that information to protect them against being affected by the data breach.
While some people are receiving phone calls in the phishing scam, with the telephone numbers looking like they are coming from Anthem, others are receiving emails. The emails include a link that says “click here” to sign up for free credit monitoring. Anthem is already automatically giving everyone affected or possibly affected by the breach free credit monitoring, so the emails are not coming from Anthem, even though they are made to look like they are. Anthem is quite clear in its letters to customers about the breach that the emails are not from them.
Those who are concerned they may have been affected by the Anthem data breach are being protected by Anthem, but there are additional steps they can take. These additional steps ensure the maximum level of protection now and in the future. Some things that people can do to protect themselves include:
Changing their passwords on just about anything they do online, but particularly email, financial accounts, and social media.
Get a copy of their credit report from all three credit bureaus and place a fraud alert on them.
Dispute any items on their credit reports that are not real.
Closely monitor transactions on any credit, debit, or bank accounts, and reporting any suspicious or fraudulent activity to the bank or credit card companies involved.
Doing these things will give individuals a sense of control over their potential exposure in the data breach, and will also go a long way toward helping ensure their personal information and finances stay protected.
by Felicien | Dec 26, 2018 | Education
Chief information security officers face new and stronger threats to systems in 2019. Not only are hackers deploying more sophisticated attacks, but attackers have new targets in their sights. Also, geopolitics and consumers will continue to play an outsized role in discussions of cybersecurity issues.
Knowing what horizon issues will help CISOs to plan accordingly and deploy solutions that are ahead of the looming problems.
What New Technologies Are Hackers Using?
One growing threat is botnets, in which hackers compromise hundreds, thousands or millions of infected computers. Hackers run command-and-control networks to manage these zombie computers.
One widespread use of botnets is distributed denial of service (DDoS) attacks, which flood domains with so many requests that they can’t handle real inquiries. Often websites crash and are not recoverable unless a ransom is paid.
Botnets are delivered via worms, which attack spreadsheets and documents, and viruses that target systems, destroy data or make networks inoperable. Once implanted in a system, viruses and worms spread, infecting more computers and doing more damage to files.
The challenge for CISOs is to remain ever-vigilant in this front line of attack. Anti-malware software that is continuously running in the background and automatically updated is one key solution. However, companies large and small also need to stay on top of the software, hardware and operating system upgrades, making sure that all devices and programs are updated. These protections need to be in place both for core system servers and end-user devices.
Finally, an in-depth defense should involve regular, meaningful and compelling personnel training that makes employees aware of how to avoid phishing traps and remain suspicious of unknown or unfamiliar emails and attachments.
Are There Other Risks from Hackers?
Hackers frequently use the Dark Web to trade, share and buy information. As defenses get more complicated, hackers become more determined to find new ways to thwart preventative measures.
Take, for example, exploit kits, which are traded regularly on the Dark Web. Hackers do not issue attacks in one fell swoop. Instead, they sniff and explore different aspects of a target. While malware and phishing schemes target end users, other tools are deployed to explore the system’s website and perimeter.
Exploit kits are self-contained, all-in-one tools that are developed with discretion in mind. If a hacker finds a vulnerability on a website, it can attack the server that hosts said site. When a victim visits the website, they are redirected to a rogue server instead, which gathers information about the victim. The exploit kit identifies and delivers an exploit that is attached to the victim and downloaded onto the victim’s computer, often via a software security hole.
Another example is an APT (advanced persistent threat). Another stealthy hacker tool, the APT can enter a system network and lie dormant until activated. APTs don’t do file damage but steal financial and other critical information. When login credentials are taken, the APT can dive deeper into a system to compromise even more data.
Then there’s the drive-by download attack. Such attacks don’t require any action on the part of a user. Malicious code is downloaded automatically upon visiting a URL via a browser, operating system or app. Often these attacks contain multiple pieces of code that infiltrate the system in the hopes that a few get past your defenses.
Stopping these attacks means updating browsers, using anti-malware tools and deploying sophisticated firewalls that monitor and protect the network’s perimeter. Intrusion detection systems and alerts can identify, contain and neutralize many of these threats before they cause significant damage.
What About Blockchain and Cryptocurrency Defense?
The growing application of blockchain technology in many areas has led to new opportunities for theft of these assets. While blockchain can be difficult to hack, mining for cryptocurrency is a lucrative endeavor.
The challenge with mining for crypto is it takes a tremendous amount of computing power. Hackers are hijacking (cryptojacking) corporate and personal computers to take advantage of their processors to mine. It’s a passive way for hackers to make money, but can dramatically slow down computer performance and add to utility costs. As long as cryptojacking remains profitable, it will be a headache for CISOs.
Do I Need to Worry about Cloud Data?
More companies have shifted data and applications to the cloud, breathing a collective sigh of relief that the protection and monitoring of that information are in the capable hands of a trusted third party. However, companies often deploy cloud data solutions without investing in the underlying security, particularly encryption. That means many companies have unsecured information stored in the cloud that is easily accessible to anyone who might want to use, steal, manipulate or alter it.
Hackers are shifting their tactics about how to disrupt data. Instead of stealing it, they are manipulating data. Data manipulation attacks can do serious harm to company reputations as data users question the reliability and accuracy of data sources. The impact on information providers, financial institutions and medical practices and hospitals could be devastating if data are altered such that an organization’s integrity is questioned.
What About Data Regulations?
In 2018, two significant regulations came into being. The General Data Protection Regulation (GDPR) governs data protection and privacy for citizens of the European Union and affects any organization that does business with said residents. California passed a sweeping online privacy law that affects consumers and requires companies to disclose on demand specific uses and sales of consumer information.
More regulation is likely. With more regulatory complexity will come additional challenges for CISOs.
Consider that Europe, China and the U.S. have very different approaches to data and its regulation. China takes a very nationalistic view of data, seeing it as something to be protected and contained within the country’s borders. Europe considers data as something that needs to be highly protected and kept secure.
The U.S. has seen data as a commodity to be commercialized, sold and leveraged for financial gain. There is very little unifying federal guidance on data security like Europe’s GDPR.
In the U.S., companies could face different data privacy requirements from each state if others take California’s lead.
What does this mean for companies? A complicated regulatory landscape. There will be difficulty in gathering, storing and using data from multiple jurisdictions. It could also lead to greater compliance issues as companies need to grapple with similar but distinct reporting standards for different states, countries or regions.
What Political Concerns Affect Cybersecurity?
The U.S. is embroiled in several controversies with other nation-states related to cybersecurity. Ongoing investigations about Russian intervention in elections, trade wars with China, and concerns about trade agreements in North America and Europe add to a climate of political uncertainty. Cybersecurity will likely continue to be a political issue both domestically and internationally throughout 2019, especially in the lead up to the 2020 presidential elections.
How Are Consumers Affected?
As consumers and companies become more interconnected, hackers are shifting their targets away from corporations to consumer devices. This concern becomes more significant with the vast proliferation of the internet of things. With smarter, connected devices in use comes added vulnerability. Hackers could, for example, attack a smart television and hold it for ransom. Connected toys could become a target for child predators. Already there is an increase in sextortion attacks designed to shame victims into believing their visits to porn sites were recorded and will be released if a ransom isn’t paid.
While these consumer-based issues may not directly affect CISOs, they will if the attacks come from your devices or services or a result of data stolen from your company.
What Issues Arise from Passwords?
In recent years, multi-factor authentication has grown. Simple passwords continue to be a prime target of hackers. Password theft and password-related breaches become less prevalent and relevant for companies that deploy low-cost multi-factor solutions.
How Can We Combat Shadow Systems?
Ego, internal politics and budget often make it challenging to address rogue and shadow IT systems. The reality is that shadow IT systems not governed, maintained or monitored by central IT staff are a significant liability. With increased awareness and understanding of cyber threats, CISOs should use 2019 as a time to finally pull the plug on rogue systems.
Each year brings new complexities and challenges to IT security officers. Getting ahead of these issues and making sure your organization is ready to address them is a valuable new year’s resolution.
by Felicien | Dec 24, 2018 | Education
Computer systems have a way of breaking at the worst possible time: in the middle of your business’s rush season, right before a long weekend or when your regular IT technicians are on vacation. When this happens, many organizations call a repair service, looking for an estimate on getting back to work as quickly as possible. While this can be an acceptable solution in the short-term, it can become quite expensive regarding lost productivity and direct costs over a more extended period. When you’re not able to plan ahead for the costs associated with a problem, you may find that your IT budgets are short when you get ready to implement the “next big thing” for your business users. Reduce the overall risk to your business and protect your ongoing profitability by implementing a managed IT services model.
What Are Break/Fix IT Services?
At their most basic, break/fit IT services are precisely that — when something breaks, you call someone to fix the problem. While this is a highly simplistic explanation, it represents a more reactive approach to technical problem resolution. Instead of actively looking for ways to partner with organizations to enhance their security, shore up problems and enhance usability, companies who specialize in break/fix solutions are waiting to hear about a problem before they jump into action. When that happens, technicians work with your business remotely or come onsite to diagnose the problem, ultimately charging your business an expansive hourly rate for the resolution. You pay only for services that you’re using when you need to use them. While there are no monthly or ongoing fees, it can be complicated to predict when you’re going to have a problem or the extent of the costs required to fix the issues.
If the technician you work with doesn’t have experience with your particular platforms, they may spend a fair bit of time getting up to speed and researching the issue and resolution. If the problem isn’t fixed the first time, you’ll be charged each time technicians spend time working with your business. It’s difficult if not impossible to predict long-term support costs with this model and since technicians are paid by the hour, there isn’t a compelling case for them to quickly come to a resolution that gets your teams back online.
How Are IT Managed Services Different from Break/Fix?
With an IT managed services model, you’re paying a consistent monthly rate to ensure that your business infrastructure remains secure, scalable and accessible. An IT managed services contract often includes guaranteed uptime and specific expectations around how quickly questions or answered or solutions provided. This means that your IT department is able to accurately project costs over time while still maintaining a high-performance, complex environment. This type of model allows your technology team to offload many of the day-to-day tasks associated with infrastructure management, such as:
Password resets
File and folder recovery
Application of software and security patches
Virus and malware protection
Server scaling
Software license management
Business continuity and disaster recovery solutions
Mobile device management
Security and compliance support
Each of these services provides a unique value to your business while allowing IT professionals with the capacity to push internal business and technology initiatives forward.
Enhanced Security Solutions
A key concern for businesses today is the security of systems and data — both information that is in transit as well as at rest. With a managed services IT provider, you have the assurance of a team of security experts actively reviewing your business’s security and performance metrics. Proactive monitoring of a wide range of systems from a central interface allows your managed services partner to offer proactive recommendations to enhance your security as well as spot problems and begin immediate remediation. A data breach can cost your business thousands if not tens of thousands of dollars, but a quick catch of a vulnerability can often be patched before cybercriminals have an opportunity to slip through your security procedures. This augmented security posture is particularly important for organizations storing personal, health or financial information for their customers.
Whether you are currently looking for an IT services partner or just exploring the idea of moving in this direction, the benefits are clear. More predictable cost structures over time, a deeper well of expertise on which to draw and the ability to quickly return to productivity are all compelling arguments for this proactive approach to your information technology infrastructure.
