Imgur Breach Affects 1.7 Million Users

by Felicien | Nov 30, 2017 | Education

The popular photo-sharing site Imgur was a victim of a data breach in 2014 that saw 1.7 million email addresses and passwords. The site put out a blog post on November 24th, 2017 notifying its users of the breach after its password algorithm was cracked.

Imgur was notified by Troy Hunt, who runs the data breach notification site Have I Been Pwned. Hunt notified the photo sharing site on Thursday, November 23rd after he was sent data that included the Imgur users.
Imgur’s CEO and its Vice President of Engineering, who securely received the data in order to verify that it was indeed from their users. Imgur did verify that the stolen data does not include information such as real names, addresses, or phone numbers, as the site doesn’t ask its users for such information.
The incident is still under investigation and Imgur CEO Roy Sehgal said that attackers likely cracked the site’s password encryption through “brute force”, due to an older algorithm. The algorithm has since been replaced and updated.
Imgur encourages users to make sure that they are using different password and username combinations on each of their online accounts. Also, it’s a good idea to reset your passwords for each account as well.
In the wake of recent data breaches and ransomware attacks, there are a few things to keep in mind to protect your data, both online and offline:

Stay up to date on software patches
Use a different password for each online account and don’t make any of them the same
Encrypt sensitive files
Back up your files

Cybersecurity is a big deal and a big job. But it is never foolproof. You have to stay vigilant and uncompromising in your security measures. Don’t let hackers take what you’ve worked so hard to build.

Strategize Your Way To A Stellar 2018

by Felicien | Nov 30, 2017 | Education

With the right guidance and advice, strategic IT planning can set your business on a path to greater success in 2018 and beyond.
2017 isn’t quite behind us yet, but already many businesses are turning their attention to the year ahead. Planning out your objectives and goals for the coming months is a great way to make sure your business is prepared to meet those challenges, and that starts with taking a look at how you faired in the previous months. Now is the time to make sure your plan for 2018 is ready to go and covers all aspects of your business. This means focusing not just on your operations, but the many moving parts that keep your operations running.
Did your business meet all its goals and objectives for 2017? Hopefully, you were able to cross most, if not all, of your goals off of your list. But those areas where your business might have come up short, or the objectives you didn’t quite get around to tackling are a great starting point for your plans for 2018. And while it’s important to keep the big picture in perspective when making decisions that will have an impact on your future success, it’s just as important to focus your attention where it’s needed.
I’m talking, of course, about your business technology. Have you thought about technology and the role Information Technology can play in making sure your business continues to be successful? Information Technology plays an important role in every company’s success, regardless of how big or small your operations are, or what your company specializes in. Technology is the driving force behind just about everything a modern business does, from accounting and administration to shipping and manufacturing, and all things in between.
Having the right technology in place to improve, enhance, or completely change the way your staff works can make all difference, both short-term and long-term. And having the right IT strategy can help to make sure your business is in a position to accelerate growth, increase operational efficiencies, and ensure maximum productivity for all departments and employees. Strengthening your internal operations through innovative technology investments can be a game changer for your business.
Of course, it’s not just the things that happen behind the scenes that need to be a part of your planning. The right strategic IT plan can ensure your team is able to market your business to your ideal audience and help your sales teams to win new sales opportunities by staying a step ahead of your competitors. The agility and speed offered by today’s technology, when implemented correctly and used to your full advantage, allow your staff to do more for your clients and prospective clients and exceed expectations.
It’s just a matter of knowing where and how you want your business to grow in the coming year, what changes need to be made to make that growth happen, and how to get the most out of the technology at your disposal.
If your business doesn’t have a strategic IT plan ready to roll out just yet, now is the time to talk to trusted technology professionals about your goals and learn what your options are. Your business can and should use technology as a foundation to build up a framework for success in the coming year. Whether it’s something as small as upgrading your accounting software to help streamline payroll and billings, or something as huge as finally migrating your systems and servers to a cloud-based platform, planning is everything.
Don’t let that fact that the focus of this planning is on your goals for 2018 keep you from starting this conversation in 2017. Procrastination will only hold you back, and keep your business from benefitting fully from everything new technology can bring to the table. You don’t have to run out tomorrow and start making purchases, but the sooner you start planning, the sooner you can start putting that plan into motion.
You might have a very clear idea of the kinds of changes you want to see and the milestones you intend to strive for, and that’s great. That certainly will help guide your business. But if all you have is a vague idea of where you’d like to see your business end up when 2018 comes to an end, that’s where advice from an IT professional can make a big difference. Just knowing what services and solutions are available for your business to choose from can help guide you onto the right path. It’s just a matter of knowing which questions to ask.
Or better still, working with an IT support provider who knows which questions need to be asked to help your business leverage technology into massive growth and success in 2018 and beyond.
Ready to start on a strategic IT plan for 2018? Contact {company} at {email} or {phone} today to book a consultation with a strategic IT advisor. We’re the technology experts businesses in {city} trust.

Is Skype HIPAA Compliant?

by Felicien | Nov 30, 2017 | Education

Breaking Down Compliance Concerns for Healthcare Providers Using Skype

Every day, we work alongside a variety of healthcare providers to ensure HIPAA data compliance standards are implemented correctly. As technology-for-business continues to evolve, instant messaging platforms – like the one provided in Skype – offer a convenient way of quickly communicating information between team members or departments.
However, we’ve been getting this question a lot lately: is Skype HIPAA compliant? More specifically, can Skype be used to send electronic protected health information (ePHI) without violating HIPAA mandates? Very simply, should healthcare providers be using Skype when it comes to the transmission of sensitive patient health data?
The debate is still out on Skype and HIPAA compliance. Skype does include built-in security features to prevent unauthorized access of transmitted data, and all Skype messages are encrypted. However, built-in security tools don’t necessarily mean total HIPAA compliance. When it comes down to it, the way healthcare organizations implement and use Skype is what makes the difference when it comes to compliance.
First Things First: Is Skype Considered a Business Associate under HIPAA?
Under HIPAA, business associates are defined as any organizations or people working in association with or providing services to a covered entity who handles or discloses Personal Health Information (PHI) or Personal Health Records (PHR).
So, does Skype count? Again, this is a topic that is continually up for debate. Technically, Skype could be considered an exception to the business associate mandate, under the HIPAA Conduit Rule. The Conduit Rule stipulates that any conduit through which information flows does not require an explicit business associate agreement.
However, don’t get too excited. A business associate agreement is necessary if a vendor creates, receives or transmits patient data on behalf of a HIPAA-covered entity or one of its business associates. While Skype definitely doesn’t create personal health information, it can be used to receive and transmit it. However, it should be reaffirmed that Skype messages are encrypted – both in transit and at rest – and Microsoft doesn’t access these messages unless there is a legal subpoena to do so.
In the case of subpoenaed information, data must first be decrypted. Therefore, it becomes unclear that whether providing information to law enforcement and being able to decrypt messages, would mean Skype would no longer satisfy the Conduit Rule. Furthermore, Skype is a software-as-a-service as opposed to a common carrier.
There’s no doubt that all the legal jargon is enough to leave your head spinning. That’s why, we urge clients and other businesses to air on the side of caution and consider a Skype business associate, requiring a business associate agreement. Better safe than sorry.
When it comes to drafting a business associate agreement, Microsoft generally will sign a HIPAA compliance associate agreement for a providers entire Office 365 subscription. Additionally, Skype for Business may be included in that overreaching agreement.
However, in order to ensure compliance, make sure you look over your business associate agreement with Microsoft to make sure that Skype for Business is included and covered. Microsoft has recently explained that not all business associate agreements are the same – so play on the safe side and get specific.
Skype and HIPAA Compliance: Encryption, Access, and Audit Controls
While HIPAA doesn’t insist that ePHI is encrypted, they do outline encryption as a mandatory consideration. Basically, if a covered entity decides not to use encryption, they must outline and implement an equivalent safeguard instead. When it comes to Skype, all messages are encrypted using AES 256-bit encryption; therefore, this aspect of HIPAA compliance is taken care of.
However, the problem lies in administrative controls for back-up and auditing. Skype doesn’t automatically include appropriate controls for communications back up, nor does it maintain a compliant audit-trail, as mandated by HIPAA standards. Without these features, Skype simply isn’t HIPAA compliant. However, there may be a workaround if healthcare organizations are implementing Skype for Business instead of the basic app.
The Final Verdict: Is Skype HIPAA Compliant or Not?
So, lets cut to the chase: is Skype HIPAA compliant or not? The short answer is no. As a standalone application, the basic Skype platform does not comply with HIPAA compliance regulations. So, for healthcare organizations who rely on Skype – let this be your warning to never send ePHI via Skype instant messaging. However, for organizations using Skype for Business – like many of our clients – the platform can be made to better support HIPAA compliance – but only if it is implemented correctly.
If the Enterprise E3 or E5 Skype For Business packages are purchased, the application can be configured to better support HIPAA mandates. However, it’s up to your organization to ensure that compliance standards are met. This means that you must actively set up a business associate agreement with Microsoft, before using the Skype for Business app to transmit any kind of ePHI. Furthermore, the application must be configured carefully. In order to be fully HIPAA compliant, Skype for Business must maintain an audit trail and all transmitted communication must be saved and backed up securely.
Additionally, access controls must also be applied to all devices that use Skype for Business to prevent any and all unauthorized disclosures of ePHI. Controls must also be configured to prevent any sensitive information from being sent outside the organization. Finally, healthcare organizations must also implement agreements that insist Microsoft will notify them immediately in the event of a breach.
But, let’s not get ahead of ourselves…
Unfortunately, it must be noted that even with a business associate agreement and the correct application package, there is still significant potential for HIPAA compliance to be violated when using Skype for Business. The short answer is, when it comes to Skype for Business, it’s hard to be entirely confident that all HIPAA regulations are upheld.
However, healthcare companies need not panic or dig out the post-it notes. There are many secure instant messaging platforms available to healthcare providers, designed specifically for use by the healthcare industry, with built-in compliance features. As much as we love Skype for Business, when it comes to the healthcare field, these alternatives may prove to be the better choice. With these solutions, HIPAA compliance strategies are built-in and straightforward, making it much more difficult to accidentally violate HIPAA mandates.
Before long, Microsoft will probably catch-up and implement protocols that better support HIPAA compliance when using Skype for Business. Until then, make sure any instant messaging on the Skype for Business platform doesn’t include sensitive patient data. In the meantime, it may be useful to seek out other, more compliance-friendly platforms to ensure lines of communication and data-sharing channels are as efficient as possible.
We have extensive experience working with healthcare organizations like yours, so we know just how critical HIPAA compliance is. Configuring IT and software platforms to support HIPAA compliance mandates is the number one security priority for healthcare providers across the country. Keeping patient data secure and maintaining compliance can feel like a full-time job.
If you’re looking for ways to ensure all your business devices and applications are HIPAA compliant, don’t get caught up in guesswork. Reach out to our team of compliance experts anytime. When it comes to protecting sensitive patient data and avoiding hefty fines, checking in with seasoned professionals is more than worth it.

Are you prepared for GDPR Compliance?

by Felicien | Nov 30, 2017 | Education

Recent Survey Finds Most Businesses are Uninformed and Unprepared

The cybercrime landscape is getting scarier by the day. In response, the cybersecurity regulatory environment is continually evolving to develop new best practice standards and protect business owners. The last few years have seen an increase in formally legislated data security mandates that impact businesses of all kinds.
For business owners, a mounting pile of compliance regulations can seem like a tedious nuisance. We hear this question among our clients all the time – how is my company supposed to keep up with more and more cybersecurity regulations to uphold? However, tedious as they may be, data security regulations are designed specifically to prevent the devastating impacts of a beach on business operations.
Understanding the GDPR: What is the General Data Protection Regulation?
The General Data Protection Regulation is a cybersecurity mandate developed by the EU. After four years of preparation, the GDPR was approved on April 14th, 2016. The official enforcement date is May 25th, 2018 at which time non-complying organizations will face hefty penalties and fines.
The EU’s GDPR was specifically designed to harmonize data privacy laws across Europe, to maintain data protection for all citizens. The GDPR replaces the former Data Protection Directive and aims to reshape the way organizations across the international business community approach data privacy.
Here are the key articles, central to GDPR:

Companies must obtain consent for data processing with all subjects
Companies must anonymize collected data to protect privacy
Any breach must be notified to governing bodies within 72 hours
Data transfers that take place across borders must be handled safely
Certain organizations are required to appoint a data-protection officer for GDPR compliance management

This is only a brief outline of what’s required of businesses under GDPR. In order to be fully informed, business owners should take the time to explore GDPR mandates completely. By understanding the ins and outs of what’s required and the potential penalties, strategies for compliance will be much easier to implement.
For a full rundown on the GDPR, check out this comprehensive guide.
Whose Impacted? Understanding Whose Responsible for GDPR Compliance
So, you must be thinking – European data security regulations? This can’t possibly have any impact on your business right? Think again. While the GDPR is a set of European regulations, drafted by the EU, it will apply to businesses outside European borders. GDRP mandates will apply to any organization from across the globe that does any kind of business in Europe or with European organizations. Furthermore, companies and organizations who have European citizens on their staff force are also impacted.
Not to mention, non-European-based businesses can be fined up to 4% of global revenue or 20 million Euros – whichever is larger – if it does not handle or store the personal data of European citizens according to GDPR regulations.
On Guard: How Prepared are Businesses for GDPR Compliance?
Okay, now that you know what GDPR is, you’re probably feeling like you’ve been in the dark on some pretty significant stuff. But you’re not alone. DocsCorp decided to conduct a study to measure how prepared Northern American businesses are for the implementation of GDPR. The company has recently released the results of their survey entitled The Current State of GDPR Readiness.
Participants in the survey were asked a series of questions, designed to determine how prepared these organizations were for upcoming changes that will take effect under GDPR in May of 2018.
The survey had alarming results. Let’s break the key findings down below:

27% of US and Canadian organizations had begun preparing for GDPR.
That means, 73% of organizations had not begun preparing for GDPR.
In fact, 54% of organizations were unaware of the compliance enforcement date of May 25th, 2018.
Finally, 55% of organizations noted that leaking of personal data as their biggest security concern.

These results are concerning because they demonstrate that the majority of North American businesses aren’t sufficiently informed and definitely aren’t prepared for upcoming GDPR mandates. Further, with over half claiming leaked data is a primary concern, the urgency of data security compliance is clear. With the May 2018 deadline fast-approaching, this level of unpreparedness can leave businesses open to severe financial penalties if compliance standards aren’t put in place.
The DocCorps survey should serve as a WAKE-UP CALL for our colleagues, clients and all business organizations across North America to start making deliberate efforts to get prepared for GDPR mandates. If data security is a top priority – and it most definitely should be – getting informed about what’s required under GDPR is the first step. Then, it’s all about implementing strategies to maintain compliance.
Business-Focused Strategies: How Can Business Owners Prepare for GDPR Compliance
So, with May only six months away, local businesses are likely wondering – how in the world do I get prepared for GDPR compliance? When working with our clients, we try to outline key strategies for data protection that can be easily implemented and maintained to ensure compliance. Luckily, these strategies apply to GDPR prep, so let’s take a look:

Build Awareness

First and foremost, use this guide and other online resources to get yourself and your team informed about GDPR mandates. We constantly tell our clients that employee awareness is the first step and the strongest line of defense in a data security strategy. Furthermore, we believe in being transparent with our clients about the threat landscape, and business owners should be transparent with their workforces as well. If you and your team know what’s expected and what’s at stake, you won’t be caught by surprise.

Inventory your Information

Figure out what kinds of data you collect and determine what’s impacted by the GDPR. Our experience working with clients in all industries has allowed us to observe that many organizations simply don’t have a central inventory of the types and quantities of data they collect. By creating a ‘data inventory’ your company will have a better idea of how to organize and manage data for compliance.

Data Security Policies and Procedure

We’ve said it once and we’ll say it again: having detailed data security policies and procedures in place is critical. Outlining key policies that outline data protection mandates and making them readily available to employees allows critical information to be easily accessed. Further, by developing comprehensive procedures for your workforce to follow, team members will feel comfortable and empowered to make informed decisions when using business technology.

Assign a Data Protection Officer

We work with a lot of small business owners, so we know that hiring an entirely separate employee as a Data Protection Officer isn’t always feasible. However, you can assign this role to someone already on your payroll. Maybe a system administrator or the most tech-savvy member of your staff. Basically, it’s just a good idea to have someone specifically in charge of overseeing policy development to ensure compliance standards are being upheld. If – like our clients – you work with a managed IT service provider, talk with them about vCIO services or the best ways to monitor and manage data protection internally.

Implement Breach Response Plans

This one is possibly the most important of all. GDPR requires all breaches to be disclosed in a timely fashion and employees at all levels should be aware of this. Additionally, breach response plans are helpful because attacks often catch professionals off-guard. We can’t count the amount times we’ve heard from clients who were hit by a breach and totally unprepared to respond effectively. That’s why it’s our rule of thumb to have detailed response plans created before a breach happens. If employees encounter any kind of suspicious activity or a full out breach, they need to know exactly what’s expected of them in order to maintain compliance, shut the attack down or bounce-back efficiently.
Regardless of your industry or the size of your company – if you do international business or have European staff members, GDPR impacts you. Furthermore, if you handle or store the data of European consumers – GDPR impacts you as well. Though it may seem you have lots of time to prepare before enforcement begins in May, getting on top of data security management now will save you from last-minute scrambling to ensure compliance standards are in place.
We get it – the constantly changing data security landscape can be a thorn in the side of your business. However, we also understand that cybercriminals never sleep. The recommendation we give to our clients – and to all other businesses – is to follow the guidelines provided by compliance mandates like GDPR. Even if you’re not directly impacted, building security compliance strategies into your business network will put you one step ahead of cyber threats. Furthermore, it will help you proactively position your company as the cybersecurity landscape continues to change.
Need a hand with data compliance? Every day, we help our clients develop and implement data security strategies that are reliable, strategic and proactive. If you’re looking to better manage IT security or if you’re trying to get a hold of data compliance, give us a shout.
No matter the specific needs or challenges, our team has likely seen it before and we’re passionate about developing customized security strategies for you so you can stay focused on business. Don’t hesitate to reach out – we’re here to make your IT work for you.  

Mac Users Beware: Huge Security Hole Found in Apple’s High Sierra OS

by Felicien | Nov 30, 2017 | Education

If you’re using a Mac and running the latest version of its operating system, you’re going to want to pay attention. It seems that Apple had a bug in their new operating system which allowed anyone that had physical access to a Mac admin access. Giving them full access to anything and everything on that computer.
The bug, discovered November 28th, was revealed on Twitter by Turkish software developer Lemi Orhan Ergin. He revealed that anyone can log into a Mac running MacOS High Sierra or adjust settings on that computer simply by logging in with the login name “root” (without quotations) and clicking enter, no password needed. The hack only works if the hacker is typing on the physical machine. It does not work remotely.
The bug only affects those running the newest OS, MacOS High Sierra. Apple put out a fix for the bug just less than one day after its discovery, which all High Sierra users should install immediately. To get the fix you must do the following:

Open up the App Store on your Mac.
In the App Store toolbar, click on updates.
Install any updates that are listed there.

If you aren’t sure which operating system you are running, click the apple icon in the upper left-hand corner of the screen, then click on “about this Mac”. This will show you the version number of the MacOS. The affected versions are 10.13 or 10.13.1.
Make sure you are installing the latest updates for all of your hardware, software, and operating systems. This keeps hackers from being able to take advantage of vulnerabilities. Be sure that these updates take place across the board. Have every computer in your organization update and make sure it gets done to avoid any breaches.
You want to keep out unsavory types and those meddling hackers, so encrypting your files is also an option. This way, even if they get ahold of your data, they can’t view it or alter it. Encrypting data that is being sent over the internet or to the cloud for storage is also a good idea. So even if the data or files get intercepted mid-stream, they are still unable to be read or changed.
Keep copies of your data separate from your original files. Whether online in the cloud or offline at a separate site from the original, always backup your data. It is best to have it backed up on the cloud and offline in another location. This way, if you are hacked or data gets lost, you will have a much better idea of what is missing and be able to get it back.
Cybersecurity is a big deal and a big job. But it is never foolproof. You must stay vigilant and uncompromising in your security measures. Don’t let hackers take what you’ve worked so hard to build.

OneDrive vs. SharePoint: What’s the Difference?

by Felicien | Nov 29, 2017 | Education