by Felicien | Apr 29, 2019 | Education
As your business operations evolve and expand, you’ll likely reach a critical point in your company’s growth where the tasks required will outnumber the staff you have available. Deciding to outsource work might be a difficult decision, partly because of budgeting and partly because onboarding new parties to your business’ processes is daunting—especially if you’re already stretched too thin. But as CEOs recently interviewed by McKinsey pointed out, “If you don’t [prioritize], you’ll sit in your office all day, read lots of reports, and end up being completely confused.”
In such situations, many CEOs choose to work with a managed service provider (MSP). Particularly for IT services, a managed provider can be a highly sensible solution.
What is a managed service provider?
A managed service provider, or MSP, is a company that remotely handles a specific set of processes for another company. At the center of this working relationship is the contract set between the two companies, which tends to be very strictly enforced to map out exactly what services the MSP will provide.
Why should my business hire a managed service provider?
Hiring an MSP translates into having a specialized agency handling your networks and users, in a way that not only aligns with your company’s processes but also optimizes security, efficiency, and industry best practices. As part of this, there are four key benefits to hiring an MSP as opposed to hiring employees to manage these tasks:
A managed service provider can do a better quality job. An MSP is dedicated to handling the processes it offers. It carries out its specialized offerings repeatedly and consistently for its clients. Its people are well-trained, highly skilled, and experienced at delivering the specific services outlined in its contracts because those tasks are at the core of its operation. An MSP has to invest in the best tools and processes in order to remain competitive, and so it is intrinsically driven to streamline its efforts in order to protect its bottom line. With such a strong focus and so many reasons to push for excellence, an MSP can sustainably deliver its services, stay on top of industry trends, and build sharp solutions that anticipate any potential issues and get ahead of them, all as part of its ongoing services—without requiring any additional input or cost from you.
A managed service provider guarantees their work. If an employee’s work is inadequate—so, for example, if your IT person fails to deliver a secure solution and your network is compromised—your main form of recourse is to fire them. That doesn’t bring you closer to completing the work you need, and it doesn’t account for any of the resources you lost as a result; any next steps you take will involve spending more in order to address the problem, and then to prevent it from reoccurring in the future. Given IT’s security implications, it’s also critical that whoever is handling it for you minimizes risks and addresses vulnerabilities long before anything can go wrong. As CEO of McAfee Chris Young reminds us: “… From the earliest stages of product design, to selecting vendor partners to writing job descriptions — security needs to be top of mind for every critical decision, every new process, every rule.”In some industries such as health, legal, and finance, there are additional considerations such as confidentiality and government regulations for which your business is ultimately liable. Not only are managed service providers up-to-date on emerging threats and the latest regulation, but they guarantee their services. This delivers higher quality results to you and also protects your investment—and your business—when purchasing their services.
A managed service provide can save your business money. The typical MSP pricing structure involves an upfront fee and then an ongoing monthly retainer for recurring tasks. Here’s what you don’t have to pay for: recruiting and onboarding costs to hire dedicated personnel; technology and tools for these new employees; training and continuing education to make sure they stay up-to-date on industry developments; overtime costs that result from these employees having to juggle their regular duties with troubleshooting; and more. It’s not just money that you’re saving. Your team already doesn’t have the time to address the concerns for which you’re trying to hire or outsource; don’t replace one problem (managing IT) with another (managing those who manage your IT).
A managed service provider is always there. What happens if the employee you hired calls in sick, or if your internal IT team finds itself short-staffed for any measure of time? Something will have to get dropped as your people scramble to fill the gaps and keep critical processes going. Contrast this situation with having an MSP, which is built to accommodate fluctuations of internal team availability. The staffing at MSPs is built to overlap capabilities, and both internal documentation and communications protocols are constructed for maximum flexibility and accountability. This keeps your IT processes flowing, uninterrupted.
This is a high-level survey of ways in which MSPs commonly help businesses. Your specific industry, niche, and offering will likely benefit in additional ways that are not addressed here, and that are also affected by the specific options you choose from your MSP.
by Felicien | Apr 29, 2019 | Education
The Power to Conference & Collaborate Better Can Be Yours
Microsoft has just announced the June 2019 release of its Surface Hub 2, a tool for conferencing and collaboration among teams. This is the Surface Hub’s successor, and it boasts improvements to the responsiveness of its active touch screens, snazzy 4K displays for crystal clear display capabilities, a battery pack option for smoother conference mobility, and streamlined integration with both Teams and Office.
Do you need to spring for this device? What considerations do you need to keep in mind as you build out your business’ conferencing capabilities? What tools do your employees need to do their jobs well, and what features are your clients going to respond to the most favorably?
What sorts of collaborative needs do your teams have? Depending on the type of work being performed, this can range. Perhaps you need to have streaming media transmitted smoothly, or the ability for multiple parties to directly mark-up input on a particular object. Maybe you need this primarily for sales, and so crisp screenshares and crystal-clear camera video and audio are vital for customer conversion. Gaining clarity on these values upfront will allow you to make the right decision regarding which tool to purchase.
How well does the conferencing tool integrate with your existing computer and security infrastructure? One key aspect of this is to make sure that both your firewall as well as your primary operating system are compatible with your conferencing solution. Failure to research this in advance most commonly results in being unable to use many of the advanced features of the purchased solution.
How much support do you anticipate needing for your team? Errors and glitches will always arise in software and hardware alike. Your employees need to be well-supported in resolving any issues that come up. Do you have a dedicated internal IT team that can assist with this, or do you need to have support on-hand from the solution’s manufacturer? If you have global teams using this platform, consider factoring in the availability of support for them—in their languages and/or time zones—as well.
Do you need to purchase additional hardware, or can a software solution suffice? Particularly if your employees are using laptops to get their work done, they likely already have cameras built-in to what they use. Combined with network connectivity, they have the raw potential to conference already. All that is needed is to select a video conferencing platform. Larger teams utilizing conference rooms and more elaborate computing set-ups may benefit from outfitting their spaces with new conferencing hardware.
What specific features do you need from your conferencing platform? Consider the size of the meetings your business usually holds and how many seats you need to have available when people convene. Do you need to be able to record these meetings? What sort of invite and even follow-up capabilities do you want? What integrations do you need—for example, do you need to be able to use Salesforce to account for contacts, or integrate with Office?
Although Microsoft is a leader in computing solutions, they are not the only players available on the market offering up collaborative conferencing tools. Careful consideration of your business’ needs combined with research into the different hardware and software options that are available are critical steps toward making sure you get the most out of whatever platform you choose.
by Felicien | Apr 29, 2019 | Education
Cybercriminals have started 2019 off by stealing more than 1.7 billion records. They look for data that is profitable in some way, whether they sell it directly or use it as part of another attack. A successful intrusion attempt comes from various factors, such as an employee downloading a malicious file or the business failing to follow IT security best practices. Here are 10 ways that hackers find a way to get into business networks
Tricking Employees into Opening Malicious Files
Phishing accounts for 91 percent of successful network intrusions. Employees see an email that looks authentic. The hacker makes it appear like it comes from someone in leadership, an external partner or another significant entity in the organization. The email has a file attached or a link included in the body of the email. If the employee opens the file, it loads malware onto that system or directly to the network. The phishing emails with links work by taking the user to a fake login page or another screen that requests username and password information. The hacker uses this to get into sensitive systems. The URL could also lead directly to malware.
Visiting Unsafe Websites
You can block suspicious websites and downloads for equipment that connects through your business network, but if someone uses a personal device, they don’t have the same level of protection. The next time they get on the network with the compromised device, the malware has a way to get on your systems and spread throughout your organization.
Lack of Control Over Personal Devices
If your company doesn’t have “Bring Your Own Device” policies in place, then you could end up with unapproved personal devices using your resources. IT doesn’t have any oversight on these unauthorized devices, so they represent a significant threat.
Lack of Cyber Security Awareness
IT security measures can only accomplish so much. Cybercriminals know that organizations have people of varying technical proficiencies. When an end user doesn’t have sufficient cybersecurity awareness, they fall victim to phishing and other attacks. Employees need to understand the steps they can take to protect against hackers, and get the training to learn about IT security best practices.
Poor Password Management
Employees may have weak passwords for their work accounts. In some cases, they may opt for no passwords. Data breaches at other companies could expose common username and password combinations that end up being in place at your business. Password cracking software makes figuring out this information trivial.
Insufficient Backups
Data backups are critical to helping your business recover from a cyber attack or another disaster. If the backup solution doesn’t work correctly or it fails at creating a complete backup, you could face losing months or years of work. The financial loss would be enormous and puts you in a situation that’s difficult to recover from.
Failure to Proactively Monitor and Maintain Infrastructure
Hackers look for vulnerabilities in your network that would allow them to launch a successful attack. If you don’t have IT security professionals monitoring your infrastructure and keeping hardware and software up to date, then you’re creating an environment that’s ripe for a data breach.
Lack of Cyber Security Measures
A failure to follow IT security best practices can lead to a workplace that doesn’t have enough cybersecurity measures in place. Some companies may be misinformed that all they need is perimeter defense to keep hackers out. You may be vulnerable to an intentional or unintentional breach by an internal actor, or be unable to defend against a sophisticated attack.
Unprotected Wireless Networks
Public wireless networks may be convenient for employees, but anyone within range can connect to them. A hacker can intercept the data traveling on the public Wi-Fi and use that information to get into company resources.
Sophisticated Social Engineering Efforts
Some hackers have attacks that involve a lot of social engineering. They may be trying to get into the financial accounts of upper management or accounting, or they could want to access trade secrets and insider information. They act like they’re an authorized person with a legitimate need to have the data or access that they’re requesting. Cybercriminals can be very convincing, especially when they have well-funded operations. If your company has a lot of turnover, or departments that don’t interact with each other, it’s difficult for employees to keep track of who actually works there.
Lack of Physical Access Control
One area that gets overlooked in a cybersecurity strategy is physical access control to data centers and other rooms that contain servers with sensitive data. A hacker could download that data directly from your systems or take the opportunity to load malware onto your infrastructure. If employees write down their account information and post it on their workstations, the hacker could save this information for later use.
Hackers have many ways to break into your business infrastructure and compromise your systems. Intrusions can lead to long-term consequences, such as major financial losses and damage to your reputation. Protecting against these common attack methods puts your company in a better position to limit your cybersecurity risk.
by Felicien | Apr 26, 2019 | Education
Microsoft began notifying Outlook.com users of a 2019 security breach that occurred between January 1st and March 28th. Hackers were unintentionally given unauthorized access to some accounts, where they were then able to view subject lines, email addresses, and folder names. While no login details—including passwords—were directly accessed as part of this breach, Microsoft did warn users to reset their passwords.
Although the hackers could not view the actual content in the bodies of emails nor download attachments, this incident still represents a major—and disturbing—security incident. This breach serves as a reminder to every business to tighten up its security measures and protect its assets.
Use multi-factor authentication.
Do not leave this as an optional measure for your employees; require it. Multi-factor authentication uses more than one form of identity confirmation—this is the “multi-factor”—to prove the identity of the person attempting to access a particular platform—this is the “authentication.”
Depending on where in the product the Microsoft breach happened, multi-factor authentication could even have possibly prevented or limited the breach. In general, this authentication process adds a strong layer of security. Hackers don’t usually have both the password and the PIN, secret questions, or other ability to verify their identity.
When vetting which type of authentication to implement—if you have this option—consider using the one that is easiest for employees to have on hand, but hardest for others to get a hold of. Trying to make this relatively convenient for your employees will make it easier for them to comply, which will keep your business more secure. Multi-factor authentication is a measure that should go hand-in-hand with training your employees to use strong passwords.
Account for all devices—including mobile—in your security processes.
Very few companies still limit employee access to business assets strictly to desktops at work. There is a growing trend of employees being able to work remotely, even if it is not full-time. A recent study showed that as many as 70% of employees work remotely at least once a week. Whether working from home, a rented office space, or on-the-road, they are using their devices to log in from a distance, well beyond the secured confines of your office. This figure was accounting for full-time employees; contractors only increase the number of remote workers further.
The security processes implemented at your company need to account for all of how workers are accessing company resources. Email access on mobile devices is one of the most common ways in which employees take their work on-the-go, and so it’s a strong starting point for building out these protocols. Because confidential company information is being accessed on these devices via networks over which companies have no control, it is critical that both the email servers as well as the devices being used have robust security systems in place.
While new improvements continue to roll out to tackle these issues, solutions that work across all devices are the norm. Security software, as well as encryption tools, can help protect data regardless of the device, particularly when combined with encouraging employees to log-in via secure VPN networks. Cloud options for data storage are offered by providers with a menu of security options; it’s worth walking through your needs and investing in top-quality solutions.
Document your security processes.
With all of the work that goes into developing security processes, even more needs to be carried out to maintain their implementation and ensure that they remain up-to-date with new tech trends and emerging risks.
This is a vast and complex undertaking. All existing assets must be brought onto any updated infrastructure. Employees must be set-up for and onboarded to the security procedures, and checkpoints must be established so that their compliance may be monitored. Systems must be monitored for any breaches, as well as smoothly updated across all users and data to accommodate any new vulnerabilities that arose since the previous update. Different components, whether hardware (including different devices, such as mobile) or software, may experience issues with any updates. New members of the internal information technology must be introduced to the systems while existing members must stay abreast of any new developments; even team members working simultaneously on the same project must address potential communications issues.
Thorough documentation of processes helps achieve this by providing an objective record of the systems in place. This can be used for onboarding; for internal audits; for evaluating alternatives or potential improvements; and even for reviewing the source of vulnerabilities and providing accountability should an issue arise. This sort of record-keeping is an essential component of transparency in company policy and helps enforce quality control on internal processes. Of course, it must also be protected with the highest measure of security since it arguably contains “the keys to the castle.” Decentralizing its storage and scattering protected, encrypted components of it across multiple storage solutions can help protect company assets from the sort of large-scale breach that could otherwise bring your data assets to their knees.
And so, the large-scale Microsoft breach serves as a reminder that active vigilance must always be maintained over internet security, without relying entirely on one single individual, provider, or service. No single entity can be trusted to be entirely safe when major players like Microsoft are clearly vulnerable, despite the teams of brilliant engineers hired to implement safeguards and the millions of dollars invested in diverse preventive measures. Every business needs to be proactive in protecting itself through rigorous internal standards, ranging from staff training through the implementation of mandatory security precautions, to minimize the risk of vulnerabilities being exposed and exploited. Factoring in every employees’ data paths and employing multiple layers of overlapping security efforts at every step of the way—and documenting these processes for easy internal accountability and refinement—are critical for business informational security in this highly connected digital age.
by Felicien | Apr 26, 2019 | Education
As the digital community continues to expand to include more individuals and more devices, enforcing cybersecurity becomes more complicated. The number of opportunities and vulnerabilities for hackers to leverage is continuously growing; it is imperative for businesses to take proactive measures to protect themselves. With new terms and acronyms constantly emerging to refer to these issues, it’s helpful to make sure you and your team are on the same page with the vocabulary you use.
We’ve compiled a list of some of the most common words and phrases surrounding cybersecurity issues.
Access control – This is the sequence of steps by which requests to retrieve information are approved or denied. The phrase actually originates from the terminology used to refer to gaining entry to physical facilities.
Active content – This is the dynamic media — including JavaScript, polls, and animations — that runs on a site. In users with low-security settings enabled, this media automatically runs, opening the door for scripts and software to carry out other functions behind-the-scenes and unbeknownst to the user.
Adware – You see this pop up when you get unwanted advertisements appearing on your screen when you visit certain sites. Adware is highly problematic because it can not only disguise itself as a legitimate site and trick you into clicking buttons that actually trigger the download of software that can track you to collect data on your activities, but it can also add harmful software to your device.
Authentication – This refers to the sequence of steps by which the identity of a user or device is verified. Single passwords are the simplest form of authentication. Current best practices are for multi-factor authentication, where multiple different checks are used to verify identity since hackers are less likely to be able to provide various forms of verification.
Blacklist – Any collection of users, devices, or other entities that are not permitted access privileges.
Bot – An individual device that has been fed programming to act maliciously under the remote control of another administrator.
Bug – A functional glitch or imperfection present in a device or piece of code.
Certificate – This is virtual confirmation of the identity of a specific entity. This is usually issued by a Certificate Authority (CA) and is something that can be verified. When you visit a secure site, for example, your computer checks the site’s security certificates and in this way determines that the site is secure.
Data breach – Any event where information is shared with an untrustworthy party or opened up to an unsecured environment.
Data mining – The analysis of large data sets to identify previously unknown patterns or relationships. Often used towards positive ends, such as in medicine to discover health trends in populations or in academia to characterize social patterns, data mining can also be employed for malicious purposes by hackers.
Distributed Denial of Service (DDOS) – This is a form of attack that targets a specific server or network of servers, causing a massive, sudden surge in traffic with the intent of shutting down the servers. One of the most common ways for this to take place is for a hacker to use malware to gain access to several machines connected on the same network; these can then be controlled by the hacker or directs them to flood the network servers.
Encryption – This is a process of data conversion that transforms it using a secret code into a sequence that requires deciphering to be able to use; only authorized entities have the means to decode this sequence and access the data contained within.
Firewall – This can be constructed using software and/or hardware, but at its core, it sets a specific set of access permissions in place that control who can access a particular network. Secure firewalls offer several layers of protection from hackers and their malware.
Honeypot – This is a fake vulnerability that masquerades as a weakened part of your system or network, in an effort to bait a potential hijacker or other threat. It can be used as part of a security plan as a way to monitor whether the system or network is currently a moving target for any threats.
Keylogging – This is generally a malicious practice where keyboard input is secretly monitored as a way to keep tabs on a user’s activity. Aside from the violation of personal privacy inherent to this, this is particularly dangerous as it gives hackers access to input personal details such as credit card information and passwords.
Malware – This is a broad term that refers to any software that intrudes upon a computer system’s process in an unauthorized manner.
Phishing – This refers to the practice of using false communications to deceive people in a way that elicits their sharing of personal information and sensitive details. One typical example of phishing is when scammers send emails pretending to be the Internal Revenue Service or a bank, and scaring recipients into believing they are in trouble and need to resolve a conflict. This resolution always requires the user to share details so that they may be identified.
Ransomware – This is a form of malware that cannot be removed until payment of a ransom is received by the malicious instigator. The most common avenues for spreading ransomware include infected websites as well as phishing.
Spoofing – This refers to any method by which a user is conned. Successful spoofing is what leads users into sharing their details with the malicious party. For example, the impersonation involved with many phishing scams is an example of spoofing.
Spyware – This is malware that is secretly placed onto a system and monitors the user’s activities.
Threat – This is an imminent risk to exploit known or unknown opportunities for malicious individuals or organizations to infiltrate a system or network.
Virus – A piece of programming code that can secretly enter a computer, replicate, and then be transmitted to other computers.
Vulnerability – This is any potential opportunity for malicious individuals or organizations to infiltrate a system or network. Threats exploit vulnerabilities; and so, it might be a flaw in design or a gap in security protocols.
Whitelist – The opposite of a blacklist, this is a list of exclusions to a particular security rule, generated because the members of the list are known to be trustworthy.
Strong internet security teams are continually assessing the risks of their systems to prevent emerging vulnerabilities and consistently triage the highest risks associated with their systems and networks. The field of cybersecurity is continuously evolving as hackers riff off of existing malware and continually discover new vulnerabilities to exploit.
As technology continues to evolve and become capable of achieving new things, each advance also opens the door for new malicious acts and further sophistication in security breaches. It is the job of cybersecurity teams to always remain one step ahead and build their information systems in a way that prevents hackers from successfully infiltrating in any way.
by Felicien | Apr 26, 2019 | Education
The Tallahassee Democrat reported on April 5th that a large sum of money had been stolen from the city of Tallahassee’s employee payroll. The perpetrator is suspected to be a foreign hacker.
What was stolen in the hack?
The breech diverted approximately $498,000 from the city payroll account. Still, all city employees have received their earned paychecks. This hack was the second time in less than a month that a breach of city security had occurred.
How did the attack occur?
The city of Tallahassee employs an out-of-state third-party vendor to host their payroll services. Their employees should be paid regularly through direct deposit. However, a foreign hacker apparently targeted this third-party vendor, effectively redirecting the direct deposits to their own accounts.
The city of Tallahassee found out about the breach when their bank alerted them. Of course, employees found out simultaneously when they awoke to realize they had not been paid on payday.
Is there any way to get the money back?
In the majority of large scale hacks, stolen funds or data is difficult or impossible to retrieve. Still, with help from their bank, the city of Tallahassee has managed to recoup approximately a quarter of the stolen money.
They continue to pursue criminal charges against the hackers with the aid of law enforcement and their insurance provider as well.
How do cyber attacks like these occur?
Successful cyberattacks usually start with some form of an email hack. This is usually achieved through phishing.
In fact, before the most recent hack of the city of Tallahassee, an email had been sent out that appeared to be from the City Manager. It was actually from an outside hacker who had included a virus disguised as a Dropbox link in the email.
While it is not suspected that this email was related to the stolen payroll funds hack, this does happen. “Phishing” emails can help hackers procure useful information about accessing in-network files and accounts.
How can you prevent hackers from attacking your business?
Large municipalities such as Tallahassee City are increasingly being targeted in cyber attack thefts. But the truth is, any business — or individual, for that matter — can fall prey to a cyber attack.
Unfortunately, the retrieval rate on hacking thefts is not high, meaning that prevention is key. The best way to prevent a hack is to prevent phishing, as this is how most hackers access your systems and accounts.
Make sure that everyone on your staff is keenly aware of what to look for in terms of phishing emails. When in doubt, suspicious emails should be left unopened. Or, at the very least, links should not be clicked, and personal or account information should never be handed over unless it’s sure the request is legitimate.
It’s also important for businesses to employ the services of a reputable and experienced IT services provider. Look for one who specializes in cybersecurity and has experience dealing with hacking prevention.
