by Felicien | May 16, 2019 | Education
Are you willing to pay the piper when it comes to cyberattacks?
Despite the growing number of cyberattacks on small- and medium-sized businesses, there is still a lack of awareness or proactive defense of the networks, computer systems, applications and devices being used. This inattention means it’s even easier for criminals to attack your business by worming their way into your data, stealing it and threatening to expose it. Other cyberattacks target the business itself, making systems and websites inoperable, costing businesses millions in the process.
Freeing the data or access often means paying a ransom, usually in the form of Bitcoin or some other cryptocurrency that’s impossible to trace.
How Much of an Issue is Cybercrime?
When it comes to cyberattacks on small businesses, the reality is, if you haven’t already been attacked, you will be. What matters is that you have the security protocols in place to make sure your business withstands these attacks and is not victimized by intruders looking to do harm.
The scope of cyberattacks, especially on SMBs, is staggering.
According to the 2018 HISCOX Small Business Cyber Risk Report, almost half (47 percent) of small businesses suffered a cyberattack in the previous year. Of those attacked businesses, 44 percent encountered a second, third or fourth attack. Eight percent had five or more attacks.
Yet the report shows a paradox. Business executives surveyed identified cyberattacks as one of their top two concerns, along with fraud. Sixty-six percent said they were concerned or very concerned about cyberattacks.
However, among those executives, the majority haven’t taken even basic steps to protect their businesses.
What Does a Cyberattack Mean to My Business?
If you do not invest in cybersecurity measures, you are a sitting duck. That means you’ll have to pay a ransom when your business is attacked. You will incur costs as well, including steps to identify and eradicate the intrusion, notify customers and regulators and pay for deep web monitoring or credit monitoring.
What is that financial cost? According to HISCOX, it’s $34,600 for small businesses. The 2018 Cost of a Data Breach Study: Global Overview conducted by the Ponemon Institute shows that among SMBs and enterprises, the worldwide average total cost is $3.86 million. The costs are increasing each year, too.
The Ponemon study shows some of the other inherent threats and disruptions a data breach can bring upon your business. Among key factors influencing the cost of a data breach, according to the study, are:
The unanticipated loss of customers after a data breach is reported. Organizations that have established institutional trust and offer identity protection to victims are more successful in retaining customers.
The scope of the breach and the number of records lost or stolen. Ponemon calculates the per-record cost at $148.
Time. The longer it takes to discover the data breach and contain it, the more costly it is to the affected business.
Scope of remediation. When an attack is discovered, your business is going to incur expenses it didn’t plan for, including for independent investigators, forensic analysis, auditing services, crisis PR management and continuing brand and reputation repair initiatives.
Service needs. These included the demands for help desk services, marketing and communication, distribution of new account information or credit cards, legal costs, regulatory investigations and fines, product and service discounts to retain customers and increased insurance premiums.
The costs, both real and impressionistic, can cripple a small business that does not have the resources to recover from a cyberattack.
What Should Our Business Do To Protect Itself?
Protection begins with a thorough assessment of your systems and procedures to determine where there are vulnerabilities that need to be addressed. Working with a qualified managed service provider, you can understand where the exposures are and plan to fix them.
Your managed service provider will want to look at several components, including:
Network security that’s based in next-generation firewalls to identify and contain unwanted activity
Automated solutions to update anti-malware applications and install updates and patches
Policies regarding access, password protocols and authentication
With the proper security in place, you can avoid paying a ransom and putting your business at risk.
by Felicien | May 16, 2019 | Education
Impacted Systems:
Windows Server 2003
Windows XP
Windows7
Windows Server 2008
Nonimpacted Systems:
Windows 10
Windows Server 2016
Windows Server 2019
If you are still using Windows Server 2003 or XP, Windows 7, Windows 2008 R2, or Windows 2008 you could be in trouble. A wormable virus may be coming your way. The virus is designated as CVE-2019-0708.
This means that the virus can get into your system without you doing anything like clicking a malicious link. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights without your knowledge.
What Should You Do?
Microsoft has released a critical update for their Remote Desktop Services that impacts multiple Windows versions. The patches are for devices and systems that are both in and out-of-support, which is rare for Microsoft to do. This shows the importance of these patches.
The update addresses the vulnerability by correcting how Remote Desktop Services handles connection requests. To apply the patches, go to the Microsoft Security Update Guide for in-support systems and KB4500705 for out-of-support systems.
Note: Clients & Customers on a valid managed services agreement are being taken care of and there is no immediate action for any computer, server or other devices under a valid managed services agreement.
Microsoft recommends that customers running one of these operating systems download and install the update as soon as possible.
Does This Mean Even Systems Without Support Can Get The Patch?
Yes, Microsoft is aware that some customers are running versions of Windows that no longer receive mainstream support. This means that you wouldn’t have received any security updates to protect your systems from the CVE-2019-0708 virus.
Given the potential impact on customers and their businesses, Microsoft decided to make security updates available for platforms that are no longer in mainstream support.
All Windows updates are available from the Microsoft Update Catalog.
What Should We Do Before We Apply The Update?
It’s recommended that you back up all of your important data first. If you have a reliable backup, if the patch creates problems you can still access your data. You should do this before you install any patches.
What If We Can’t Apply The Patches?
If you can’t apply the patch for your system there are other things that you can do:
If you don’t need the Remote Desktop Services, you can disable it.
Block the TCP port 3389 (this prevents unauthorized requests from the Internet).
Enable NLA (Network Level Authentication) for Windows 7 and Windows Server 2008.
Of course, the best thing to do is to contact your local IT services company. They’ll know exactly what to do.
What Is A Wormable Virus?
This means that any future malware that uses this vulnerability could propagate from one vulnerable computer to another. This is how similar malware like WannaCry spread around the world. Experts are worried that this flaw could be used to fuel a fast-moving malware threat like the WannaCry ransomware attacks of 2017.
Here’s what Simon Pope, director of incident response for the Microsoft Security Response Center tells us:
“This vulnerability is pre-authentication and requires no user interaction,” Pope said. “In other words, the vulnerability is ‘wormable,’ meaning that any future malware that exploits this vulnerability could propagate from vulnerable computer to vulnerable computer in a similar way as the WannaCry malware spread across the globe in 2017. It is important that affected systems are patched as quickly as possible to prevent such a scenario from happening.”
Have There Been Any Attacks Yet?
Microsoft said they haven’t found evidence of attacks against this dangerous security flaw. But one could happen at any time. Right now they are trying to prevent a serious, imminent threat with these patches.
Simon Pope goes on to say:
“While we have observed no exploitation of this vulnerability, it is highly likely that malicious actors will write an exploit for this vulnerability and incorporate it into their malware.”
What Does The Microsoft Remote Desktop Do?
You use the Microsoft Remote Desktop application to connect to a remote PC or virtual apps and desktops made available by your admin. You can control your desktop computer and all of its contents from another computer.
The app lets you connect to your desktop from wherever you are. The access to the remote desktop happens over the Internet or via another network. It lets you interact as if you were physically working from your desktop.
The Remote Desktop application also gives the “master” computer access to all of the contents on the remote computer.
What Else Should We Know?
If you had updated from Windows 7 to Windows 10 or from Windows Servers 2008/2008 R2 to Windows Server 2016 or 2019, you wouldn’t need to worry. This is why it’s essential to keep your systems up to date.
Soon, on January 14, 2020, support will come to an end for all Windows Server 2008, 2008 R2 equipment and the Windows 7 operating system.
If you’re still using these servers or operating system, it’s crucial to replace them now so that there’s no disruption to your daily operations or loss of data.
Any hardware or software product that reaches its end of life is a potential gateway for hackers to enter through. In addition to the security hazard, there are other reasons why it isn’t a good idea to keep using old equipment such as unresolvable outages.
Where Can We Get Help?
Contact us to ensure your Microsoft desktops and servers are secure and protected from unauthorized intrusions.
by Felicien | May 15, 2019 | Education
Open source software has come a long way since the 1980s. Back when the concept was first developed, it was a philosophical revolution in the software world. Releasing software for free wasn’t new, but releasing the source code behind the software and even encouraging others to improve upon it was game-changing.
In its infancy, open source software wasn’t the sort of thing most enterprises would consider. Times have changed, though. If your organization has never seriously considered whether open source software has a role in enterprise IT, you may be missing out on some serious advantages.
Open Source Software’s Changing Role
Open source software used to be viewed as the software equivalent of homebrew beer: an interesting hobby with sometimes attractive results, but not at all useful at scale. Over the twenty-five-plus years since its origins, things have changed. There’s no perfect analogy, but you might say the open source crowd has evolved into the equivalent of a network of craft brewers. Each brewer crafts something unique, and they all share their recipes and brewing techniques freely, both with other brewers and with consumers. Because of this collaboration and free sharing of information, the results just keep getting better.
Enterprise Adoption Grows
This evolution has had an effect on enterprise adoption. Today, most companies utilize some open source software. Red Hat, a Linux distributor and a major player in the open source space, commissioned a study of enterprise IT in 2019. The study determined that 83% of enterprises surveyed were using open source software, and 69% of those respondents described open source software as being either extremely or very important to their organization.
Uses of Open Source Software
Uses of open source software in enterprise settings vary widely, of course. Small businesses may not venture far outside OpenOffice, an open source alternative to Microsoft Office. Enterprise level businesses, however, tend to do more. That same Red Hat study names five areas where open source applications are being used in surveyed enterprise businesses at a rate of 41% or higher. These five are website development, cloud management, security, big data & analytics, and databases.
Pros and Cons of Open Source Enterprise Software
We don’t want to give you the wrong impression. The world of open source software isn’t a miracle utopia that will solve your every business IT problem. There are pros and cons to using open source software for enterprise IT. Here are a few.
Pro: Open Source Software Is Almost Always Free
If the source code is freely available, the software itself is almost by definition offered for free as well. There are limited exceptions, but most of the time, open source software is free to use. This makes sense practically, as it’s challenging to charge for the shell when you’re giving away the innards for free. It’s also a philosophical decision, as the open source movement is closely connected to the ideas of the free software movement.
Con: Supporting Open Source Software Isn’t Free
Open source software at the enterprise level isn’t being designed by hobbyists with day jobs. This is complex software that takes real development work. You may be wondering, then, how the developers put food on the table. In many cases, the answer is support.
When you purchase enterprise software from a traditional source, you usually enter into a license agreement where the seller or the developer will support your use of the software, for a yearly fee. Similar arrangements are available to help you support many open source enterprise applications. The software is free, and you’re free to customize it. If you need support, though, you’ll need a service level agreement (SLA) or something similar. These aren’t free.
Pro: Open Source Software Is Customizable
Off-the-shelf software solutions don’t allow you to customize the software beyond whatever settings the developer offers. You’ve likely experienced this on a small scale. Many people who use Microsoft Outlook for email, for example, aren’t thrilled with the program’s search function. Too bad: neither users nor company IT departments have the ability to enhance this feature beyond what Microsoft provides.
Open source software is different. Companies can tailor the software to their needs and can tweak the source code so that the new software interfaces properly with their existing systems.
Con: You Have to Do It Yourself
The previous pro is a bit of a double-edged sword. The ability to customize software is great, but your company needs people with the skills to do that customization well. Even the best IT pros may get stuck in this process, and finding dedicated support can be a challenge.
Contrast this with complex high-end proprietary enterprise software suites, which often come with support from the vendor. Vendor agreements may include some custom interfacing work. The software and service agreements are costly, but you aren’t left on your own to do the customizing.
Conclusion
For many businesses, open source enterprise software can save money and improve functionality, but navigating the open source waters can be a challenge. If you need help, contact us today!
by Felicien | May 15, 2019 | Education
Opportunities to spend on tech are endless these days. But your budget isn’t endless. Your company needs to invest in technology, but you need to do it in a way that’s smart and strategic. Check out our CFO’s guide to smart investing in information technology. We’ll show you how to prioritize your technology investment so that you can make smart decisions and stay on budget.
The Problem
The problem with smart investing in information technology is the sheer number of choices available. Hardly a day goes by without a new B2B information technology product hitting the market. You can’t possibly purchase them all, nor does your business need them all.
As the CFO you may or may not be involved in specific purchasing decisions, depending on the size of your business and the size of the purchase. You do, however, bear ultimate responsibility for setting your purchasing strategy. With so many IT investment options available, you may be overwhelmed trying to cut through the noise and decide what’s best for your organization. The lower your comfort level with technology, the worse the confusion gets.
Understand the Importance
The first step toward solving this problem is to engage with it. Understand that in many real ways technology is the future. You can’t afford to sit on the sidelines or to keep doing business as usual. Your competitors aren’t, and you’ll be left behind.
Simply put, picking the right new tech and integrating it successfully into your business can give you a competitive advantage over competitors. Therefore, in concert with your business’s technology team, you and the financial team must evaluate new IT developments, selecting and implementing the trends that will keep you competitive.
A Framework for Evaluating Emerging IT Innovations
Typically, companies receive far more internal requests for new software or hardware that can be approved within the current budget. To add to the problem, B2B sales efforts come from every direction. These promise to solve one problem or another or to give you that competitive advantage over your competitors. Never mind that the salesperson is trying to sell the exact same solution to those competitors.
What’s needed is a framework for evaluating emerging IT innovations. The questions below can help you decide which internal requests and outside sales pitches are worthy of your attention . . . and your money.
Question 1: How does the tech improve the group requesting it?
Many businesses receive countless technology requests from within. You and the finance team likely can’t approve every one of these, nor should you. The easy questions to ask are “does an employee want this software?” or “Will this software improve the employee’s situation?”, but those aren’t the right questions. Instead, ask “how will this piece of software improve this department or the whole company?”
This strategic question can help you prioritize your technology spend. Software A may very well improve life for that one person in sales, but if Software B realizes far more gains for a 30-person division, it ought to rank higher in the budget.
Question 2: Would this investment disrupt our existing IT deployments?
Sometimes blowing up the status quo is just what you need to succeed. Other times, though, wisdom is to leave well enough alone. If a new technology investment isn’t going to play well with your existing systems, you want to find this out before signing off on the purchase.
Neither internal requests nor external sales pitches are immune from this danger. Work with your technology teams to discover how a new investment will interface with your current system. Don’t spend the money until you’re convinced that the new tech will integrate into your current systems.
Question 3: Would this investment disrupt our workflow?
This is similar to question 2, but it focuses on the human component. A shiny new piece of software may well speed up Step 4 in a complex process in your business. Maybe it even cuts the time in half. Sometimes, though, there are trade-offs. You need to know if it’s going to make Steps 1 through 3 an absolute pain to complete, or whether it will add time to Steps 5 through 8.
Avoid facing an employee mutiny by fully vetting the impact the new technology will have on your current workflow. Be sure it’s a true net step forward before you commit.
Question 4: What are the returns on investment we will see by implementing?
With question 1 you’ve already established how the product will benefit one or more departments. Now, take it a step further and look at your ROI. How greatly will this investment increase sales? What estimate can you place on the productivity or quality-of-life gains? Is the cost worth the advantage you’ll gain over competitors? Answering questions like these gets you to a more specific understanding of the true worth of a proposed investment.
Conclusion
Navigating the new technologies available will always be a challenge for CFOs. By asking these 4 questions, you can prioritize your technology investments smartly.
by Felicien | May 15, 2019 | Education
Data security becomes more important with each passing year. It’s important to have a good understanding of the terms that both governments and the information security industry use. Understanding these terms will help you lead your organization to comply with today’s regulations as well as whatever new regulations are coming down the pike. Today we’ll define three major terms: personally identifiable information, non-personally identifiable information, and personal data.
Personally Identifiable Information (PII)
Personally identifiable information, or PII, is information that organizations may hold on individuals that can be tied to the individuals’ identities. The National Institute of Standards and Technology provides a legal definition for the USA:
PII is any information about an individual maintained by an agency, including (1) any information that can be used to distinguish or trace an individual‘s identity, such as name, social security number, date and place of birth, mother‘s maiden name, or biometric records; and (2) any other information that is linked or linkable to an individual, such as medical, educational, financial, and employment information.
PII comes in two varieties. Linked information is the more sensitive variety. Anything that can by itself be used as an identifier is considered linked information. Social security numbers, driver’s license numbers, full names, and physical addresses are all examples of linked information.
Linkable information is the second category. Linkable information can’t do much on its own, but it becomes powerful when linked with other pieces of information. ZIP code, race, age range, and job information are all examples of linkable information.
Non-Personally Identifiable Information (Non-PII)
Non-personally identifiable information, or non-PII, is information that doesn’t fall into the above categories. All sorts of information falls into this category. In the digital world, IP addresses, cookies, and device IDs are considered non-PII, since (unlike what you see on TV) these pieces of information can’t be used to identify an individual.
Personal Data
Personal data sounds like a casual way to describe the above, but it’s more than that. Personal data is a term used in Europe that is roughly equivalent to PII. Euro-centric publications won’t tend to use the term PII unless discussing something explicitly American. Many of the same principles of PII apply to personal data, but there are some further ramifications that are important to know.
As the USA does with PII, the EU has a specific definition for personal data, defined in GDPR as this:
Article 4(1): ‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
A Crucial Difference Between PII and Personal Data
One of the most crucial differences between the NIST’s definition of PII and GPDR’s definition of personal data is this: GPDR concludes that even cookies, IP addresses, and “other identifiers such as radio frequency identification tags” can be personal data, especially when combined with other unique identifiers.
In short, the EU’s GPDR guidelines are more restrictive than their USA equivalents. This is the explanation for the rash of “cookie notices” that’s spread around the web, and it could have implications for your business.
Wrap Up
If you need more information about PII, non-PII, and personal data, don’t hesitate to reach out. We’re here to serve you and meet your IT needs.
by Felicien | May 15, 2019 | Education
Human capital is one of the most important business assets and also one of the most elusive. Today’s employees are staying only an average of around 4 years, far different than years past when people regularly stayed with the same company for over a decade. Job stability is a serious concern for organizations, who often find that they are losing their highly qualified staff members when a better offer comes along or when opportunities dry up. This can happen because organizations do not have a stable and structured human resources staff that is able to continuously create opportunities for training and advancement within the organization — staying tuned to the needs of the highest-performing staff members while supporting a positive culture throughout the organization. With the focus on swift moves and organizational change, it’s a strategic imperative that you have a top executive focused on the human resources needs of the business.
“Culture Eats Strategy for Breakfast”
Anyone who has been through business school has heard this old adage from management guru Peter Drucker, as related by Mark Fields in 2006. While it may be a bit trite, this statement has never been more applicable as the corporate culture can quickly fester due to poor decisions by business leaders who are not keeping personnel needs in mind. People want to work somewhere that provides personal as well as financial fulfillment and that often means finding a flexible working situation or the ability to advance their careers with hard work and dedication. If the culture of your organization is toxic with poor leadership in place, it may not even be obvious until you begin losing high-potential staff members.
With a Chief Human Resources Officer (CHRO) in place, there is likely to be a greater focus on gathering employee feedback as well as looking into breaches in rules and etiquette by staff. It doesn’t take long for a positive corporate culture to turn into a negative without a continuous focus on employee satisfaction. The perception that “leadership doesn’t care” or a lack of accountability can poison even the most positive working relationships. A CHRO helps actively listen around the organization and has the ability to raise concerns to the highest level while adequately explaining the challenges and offering strategic solutions.
Encouraging Meaningful Diversity and Mutual Respect
Diversity of thought and cultural fit are every bit as important as ethnic diversity in your workforce. It’s easy enough for managers to hire someone who not only looks like them but also thinks like them — something that a CHRO can help guard against. There’s more to a hostile workplace than a single person or small group of individuals who are behaving badly. It starts with the idea that staff members can get away with atrocious behavior and that the perpetrators are being enabled due to their high-performance standards or position within the organization. It can be challenging to discipline individuals who are perceived to be exceptional, but having C-suite representation for all personnel can help lead to accountability and mutual respect. Meaningful diversity occurs when managers and supervisors are encouraged to step outside their comfort zone and work with people who may be a great cultural fit, even if they may not have exactly the right pedigree or high levels of experience. A dedicated and involved CHRO helps hiring managers to see beyond the surface to find the exceptional staff members that will help the organization grow and evolve in the future. It’s never too early to begin encouraging managers to celebrate diversity and inclusion through a variety of different initiatives that can ultimately result in a more balanced workforce.
Attract and Retain the Best
Creating a positive culture also means finding what motivates employees and being able to illustrate the real business benefits of reducing turnover and providing the perks that employees truly want. HR is moving far beyond simply being the “complaint department” or a way to ensure compliance with a variety of rules and regulations. Having a CHRO provides the business with a higher degree of strategy in the hiring and managing of talented staff members. Millennials and Generation X alike appreciate being able to work from home or remote locations when the work permits it, but a CHRO is able to help quantify the savings that can be expected for the business as well as the softer side of employee engagement. Proactive human resources support is quickly becoming a differentiator for businesses that view these roles as more of a strategic position instead of the tactical role that HR has played in the past.
FInding benefits that employees will appreciate is only a portion of what goes into attracting and retaining the best staff members for your organization. A proactive CHRO regularly reviews the competitive landscape to ensure that health and wellness benefits are commensurate with the marketplace. Creating wellness initiatives also falls to HR, with the long-term benefits of these programs helping bring a new focus to the value of encouraging positive health choices throughout the life of each staff member. Having a CHRO included as a deliberate part of corporate strategic decisions creates a more equitable focus on the individual needs of employees as well as the organization’s requirements for long-term growth.
Experience and Training Key for Successful CHROs
Not every CHRO comes up through human resources. It’s not unusual for someone more on the business, marketing or legal side see the value in making the leap in this direction. It is crucial that any CHRO candidate has a deep understanding of the privacy and liability issues that can arise from this sensitive position and department. These individuals thrive when they have a full understanding of people management, legal considerations as well as business operations in order to help managers and leadership identify staff challenges and how to move towards resolution. Few of these issues will be solved overnight, meaning your CHRO must have the ability to stay the course and navigate difficult relationships over time. The role of CHRO even has some aspects of a Chief Security Officer, as they will need to understand and be able to manage in-depth data privacy policies which can be quite complex depending on your business model. Measuring the success of various initiatives is also a data-driven operation that requires analysis and interpretation of diverse datasets.
Organizations may survive without someone from human resources at the executive table, but it is becoming more unlikely that they will thrive without this representation in the C-suite. Chief Human Resource Officers provide a needed counterpoint to the business-focused mantra that you may hear from other executives, providing a different perspective on reaching organizational goals through the introduction of positive culture change, accountability and diversity in hiring practices. This strategic role not only provides organizations with qualified candidates but also helps ensure that high performers stay and continue providing their brain trust to the business.
