5 Things You Need to Know About Ransomware
In today’s world, phishing and internet hackers pose big threats to not only our personal computers, but to our workplace devices, too. Check out the five things you need to know about ransomware scams. (more…)
How a Security Breach Can Ruin Your Reputation
Having your customers’ credit card numbers or personal information stolen or leaked in a data breach may be a CEO’s worst nightmare. Not only does your company face downtime and expenses in fixing the breach, you stand to suffer damage to your reputation that may have a long-term impact on sales. In today’s data rich world, computer security for businesses ranks among the top operational concerns for managers and top-level administrators. (more…)
Frequent Password Changes Is It Helpful or Does It Hurt?
By Barry Utesch, President TCS
This question depends a lot on the regulations in your industry. The financial and health care industries have made it a requirement that you change passwords regularly regardless of real benefits. Because of this you really don’t have much say so, you just need to comply. A study was done at UNC Chapel Hill on password change frequency and it found that people tended to create simpler passwords that followed a clear pattern when they were forced to change them frequently. For example they might use the same password but add the month and year that it was changed. The primary problem with this is that once a bad guy knows the password their ability to guess future passwords was almost 100%. Obviously this is a problem and so setting a password policy that does not allow any portion of the previous password to be reused is best. However if you’re like me and all you want to do is login and get to work. Having to come up with a brand new password that does not contain any similarity to the last password before you can begin your day is frustrating at best, especially if you’re in a time crunch.
I would suggest that for most small business changing passwords once or twice a year is frequent enough. The exception to this would be if a key person leaves or if there is any possibility that a password has been compromised.
If you’re like me you login to dozens or even hundreds of websites and programs. Keeping up with individual passwords for each of these is not only impractical it is nearly impossible. I know that reusing passwords is not a good idea but I’m not creative enough to have unique passwords for each site. Probably one of the best ways to solve this problem is to use a commercial password management tool. These tools can usually create completely random passwords for you and also automatically populate the password field for you so that you don’t have to remember the password for each site.
In summary; Making your passwords more complex and changing them less often could be a better strategy than having recycled or simple passwords that change frequently.
For more information checkout our website at www.tcsusa.com
Why You Should Be Creating SOPs
Standard Operating System
We recently acquired a client with a very vibrant staff that is a joy to work with, lots of technology, and a very open culture of sharing…except in the IT department. The previous IT director was/is a brilliant guy who solved some very thorny business problems with very clever technology (their marketing platform involves 7 vendors, each feeding into the next platform with exceptional reporting, incredible ROI and massive profitability for our client!). He had one major blind spot however – due to his technical brilliance, he didn’t document a LOT of “obvious” processes.
Everything from “How to setup a new employee on GMAIL” to “How to redirect email for ex-employees to a new hire” to “The 9 accounts each employee needs” to “How to setup Printer 15 on OSX”.
Now, you may be thinking “Well DUH, Raj, those are obvious. Any tech can do that work” and I agree with you – any tech should be able to do this work. However, without proper documentation, it leads to downtime, staff frustration and wasted time.
Prior to developing the NEW HIRE SETUP SOPs, it took 2 weeks to setup a new employee (1st request: setup email for JANE DOE; 2 days later – “can I have access to TEAM CHAT and BILLING SOFTWARE?”; 4 days later “Hey, I’m using Mike’s CRM login, can I have mine please?”)
In each case, Jane did the right thing – she kept filing tickets and asking for what she needed next.
However, at the same time, Jane’s onboarding experience was frustrating, the client’s company culture looks like a mess to a new hire, and the confidence Jane has in her company’s products and services, and the confidence she exudes to their clients is weakened.
All because no one thought to document the “obvious” SOPs. Having a new employee be frustrated or ineffective for 2 weeks is an expensive waste of human, financial and organizational capital.
POST NEW HIRE SETUP SOPs:
We built 7 SOPs for this client: SOPs to create accounts in GMAIL, TEAMCHAT, MARKETING APP, CRM, BILLING, PRINTER CODES, SECURE PASSWORD PORTAL
Now, a new hire setup takes 2 hours.
That means, the new employee gets to work quicker, is happier, more productive and the faith she has in her employer’s expertise and professionalism radiates in her interactions with her clients.
The questions I’d like you to answer are: Are you creating the “obvious” SOPs? Or are you making your staff & clients suffer needlessly?
National Cyber-Security Awareness Month
By Barry Utesch, President TCS
October is National Cybersecurity Awareness Month. You may not consider your small businesses a target for cyber attacks due to size or because you don’t think you have anything worth stealing. However, small businesses have valuable information cyber criminals seek, such as employee and customer records, bank account information and access to the business’s finances, and access to larger networks. Check out other resources here.
“How could we prevent this from happening?” The simple answer is “you can’t”. The cyber criminals are spoofing the President’s email address and they are gleaning who your CFO is from your website. They’re using the website and social media to target you and the only way to truly prevent this from being a problem is to have a two-step authentication process within your accounting department. For example, before a wire transfer is initiated you must make a voice phone call to the person who is requesting the wire transfer. If for some reason a voice call is impossible then a text message to the CEO’s phone would substitute. Although the wire transfer scam does seem to be the most popular right now, there are certainly other ways that cyber criminals are looking to separate you from your hard-earned dollars.
One of the best things that you can do to protect your credit cards is to designate a card for personal use and another card for business. This will allow you to quickly recognize any unusual transactions and also make tax time much easier. Checking regularly for unusual transactions or setting your banking system to send an email every time a transaction is processed will make you immediately aware if there is a strange charge.
Training your employees to be skeptical of all requests is probably the single greatest antidote to cybercrime today. There are inexpensive solutions available online to help you with this and TCS can also assist you with these types of solutions.
Today most cybercrime is coming from external sources. Just a few years ago most of these crimes were perpetrated by employees inside the company. If you’re not currently doing employee background checks, I would suggest that you begin immediately.
Last but not least. Another form of protection is insurance. Insurance carriers are beginning to offer this type of coverage and I would suggest that it deserves a serious look. There are limits to what these policies will cover but they might take the sting out if you are an unfortunate victim of cyber crime.
Security on your network is a layered approach there is no one security feature which is going to protect you from the bad guys. To learn more about the first line of defense towards cyber security Click Here
Check out our FREE E-book on Cybersecurity Click Here
TCS Lunch-N-Learn, “Developing a Modern Network Security Strategy”
Great turnout at our Lunch- N- Learn at Flemings Steakhouse! TCS Owner, Barry Utesch gave a presentation on “DEVELOPING A MODERN NETWORK SECURITY STRATEGY.” For more information on our next Lunch- N- Learn or if you have any questions please contact Ashley Lamb at email@example.com.
Every minute of every hour of every day, a cyber criminal is attempting to steal your company’s data. The question isn’t WILL you be hacked, but WHEN will you be hacked? Can your company really afford to ignore this?
Headlines appear weekly about a data security breach in organizations. These invasions are not isolated to publically traded companies, they are happening all around us. Often, smaller companies are unaware that they have been compromised, with cyber criminals capturing employees’ and clients’ personal information.
Every organization has a responsibility to ensure they are doing all they can to secure company/client data and minimize opportunity for cybercriminals.
Cyber Security Advice For Your Business:
Super Bowl 50 is over and with it the 2015 football season. I can’t help but see some parallels with defending your business from Cyber Criminals and good defense in football. In general both types of defense are made up of parts that must work together to deliver an excellent result. A defense that is composed of one really strong part and 6-10 weak parts will not give you the desired results. It really does require multiple best in class components operating together as one cohesive unit to deliver superior results.
So that this is explanation won’t seem overly complex I’m going to give you the highlights of the seven things that I believe are critical for your business to have a great defense against the cyber criminals. None of these are complex and you may be surprised at how basic they are.
First on my list is installation of patches and updates on all endpoint devices on a weekly basis. What I mean when I say endpoint is any device that connects to your network; smart phones, tablets, laptops, PCs etc. These devices should be receiving software patches and updates on a weekly basis and some person or some method must be in place to confirm that this is happening consistently. You don’t want to assume because we know what that can make us look like.
Number two is having up-to-date anti-malware software on all endpoints. When I say anti-malware I’m referring to antivirus which typically includes the ability to discover all types of malware. I feel confident you already have this kind of product in place. The more important questions are; are you monitoring and managing it, do you know that it is up-to-date on all your devices, are the signatures less than three days old?
Third on my list is complex passwords that change regularly. How frequently these change is up to you unless you are in an industry regulated by an external governing body. In most small businesses the frequency is really more about preference and convenience and so I would suggest for a small business a semiannual password change is frequent enough. However I would force additional changes whenever a key person leaves regardless of the reason. Additional policies that I would recommend are; preventing USB drives from automatically being recognized when plugged in, forcing pass codes on all mobile devices, automatic locking a user account for 10 minutes after 3 failed password attempts and wiping smart phones or tablets after 10 failed logins.
Fourth would be a current model firewall with deep packet inspection. Firewalls tend to age much like personal computers and really should be replaced on about a five-year cycle. Processor speeds, RAM and sophistication of software change rapidly so if your firewall is more than five years old you’re not taking advantage of all the advances that have been introduced.
Fifth on my list is content filtering of Internet traffic. This means not allowing your employees to go anywhere and everywhere on the Internet. This doesn’t need to be incredibly strict but if you were to ask an HR consultant they would tell you that blocking obvious non-business websites protects you from lawsuits as well as helps to improve employee productivity.
Sixth on my list is a management approved plan of action for BYOD. BYOD stands for bring your own device and there needs to be clear written policies around employees using their own devices on your network. Having clear written and signed policies means that when you have a problem or breach everybody understands what the steps are to rectify the problem.
Last but certainly not least is employee training. You need to train your staff to be skeptical of all requests for sensitive information regardless of where they come from. Gartner group a research organization indicates that 97% of corporate breaches occur through the human element not lapses in technology. Training and educating your employees is a critical component of your cyber security plan.
Train your people to be skeptical of all requests for sensitive information, keep your workstations patched and updated, Keep your anti-malware software up to date, set network policies via software so that USB drives won’t auto recognizing, secure passwords are required, password change regularly, erase smart devices that have more than 10 failed logins in a row, confirm that your firewall is less than five years old, implement content filtering of Internet traffic and finally write up an approved plan of action for BYOD and a plan of action if an intrusion is detected. No cybersecurity plan is impregnable, if the bad guys can break into the US department of defense they can certainly break into your network. Your job is to make your network less attractive than 90% of the other networks out there and thereby redirect the bad guys to someone else.
Backup, Continuity, or Archiving What Do You Need For Your Business?
As a 30 year veteran in the industry I’ve personally lost data on a few occasions. Losing valuable data is the unfortunate reality of working with technology if you don’t have a good backup routine. As an IT provider to several hundred clients in central North Carolina we understand that the most important thing that we do for our clients is to make sure that their data is backed up and backed up successfully.
The simplest option and the one that every organization needs is a backup of your data. Historically this meant a once per day copy of your data written to a tape or an external hard drive. If the primary source of your data was corrupted or failed you could restore to the point of your most recent backup. Typically this meant the previous day as most backups ran only at night when people were off the system. This also meant if your data was corrupted at 5 o’clock in the afternoon and your most recent backup was from midnight last night, you lost an entire day’s worth of information. A basic backup should be done nightly and we normally recommend a minimum of 5 days of history. You want several days of history in case a file that gets used weekly is corrupted. If you only have a day or two of backups then you might overwrite a good file with a corrupted file not realizing that it is corrupted. The ideal drive rotation model would be Monday, Tuesday, Wednesday, Thursday, Friday 1, Friday 2, Friday 3, Friday 4 and Friday 5. This would allow you to reach back more than a month to find a needed file.
The second option to discuss is continuity or high availability. When you think of continuity think of a bank or an airline reservation website which cannot be down. In a reservation environment they need continuous access to their information. Your level of continuity may not be as high as a bank or an airline but yours might be a four hour window that you can afford to be down. Continuity isn’t a requirement for all businesses but every business needs to be able to recover and get back to work in a reasonable timeframe. You will need to decide what reasonable is for your business. The closer you want to come to 99.999% uptime the higher the price to build and deliver the solution. You have probably seen the graph that shows the cost of perfection where the line denoting cost is pointing almost straight up with no end in sight. That is what you will experience if you try to achieve a very high level of reliability.
The last item that I want to discuss is archiving. Archiving is separate from the previous two points and is typically an independent system or at least a distinct process. Archiving is not “live” data it is static data. The way I would explain it is that archive data cannot be changed. If it can be changed then it isn’t really an archive. The other distinction for archived data is that it is permanent storage for historical purposes that is searchable in its final state. The two previous points of Backup and Continuity would not be described as searchable. This doesn’t mean they can’t be searched but the process is cumbersome and not really the intent. If you think about backing up email for the purpose of restoring active email in the event of corruption. This requires restoring the email back from the alternate site to the primary site and then you can go back to work. The alternate site is not meant to be searched or used live, it is a secondary by design.
Archiving can be done on a product in motion like email so every single email that is sent internal to the company or external is archived for future search ability. Some industries are regulated and this type of archiving is mandatory but for most businesses archiving is an option.
We’re on Yelp!
Smart Device Security
Are you providing smart phones or tablets to your employees without managing those devices?
You could be opening up a security hole to your network.
Cyber criminals are continually looking for new ways to break into your network. Desktops and laptops are the favorite target, but with the growing number of smart devices cyber criminals are highly motivated to develop new ways to break into your network through these devices. Symantec did a study published in their “2015 Internet Security Threat Report” and in it they indicated that 17% of android applications are actually malware in disguise. (Apple’s App store and Google Play are normally safe as they work hard to vet all the products on their site). Stopping this type of threat would involve limiting the specific applications that can be installed on your smart devices but that isn’t there only way in. Email Phishing accounts for a very high percentage of computer infections and smart devices are next. Phishing via email has primarily targeted PC’s but I have to believe that smartphones are the next “Blue Ocean” strategy for the cyber criminals.
If your smartphone is like mine, once someone gains access either physically or through a malware application they have access to all of my email, links to files stored at office 365 or Google Docs as well as access to the VPN back to my corporate network. If you use Apple Pay or Android Pay on your device, cyber criminals would have access to credit card information as well.
One of the major challenges of smart devices is the ease of physical access. Phones and tablets are often left lying on the table or counter and a thief can quickly grab and go without being noticed. So what is an IT manager to do?
I have good news because securing your smart phones and tablets is not as complicated or as expensive as you might think.
Yes it is a good idea to have a tool that allows you to manage all of your devices in mass and depending on the number of devices involved that may be necessary. On a simpler level I would suggest that the most effective thing that you can do to secure your smart devices is to require a passcode. Ideally this code is more complex than four 9’s which could be discerned by just looking at fingerprints on the screen. Having 4-6 random numbers that relate to something meaningful to you but won’t mean anything to a stranger is the ideal. The Apple IOS can after 5 failed attempts disables the device for 2 minutes. You can also set it so that after 10 failed passcode attempts the device wipes itself. This basic step of requiring a pass code can thwart most physical attacks. A side benefit is that it can keep your kids from changing the setting on your device to that crazy ring tone that is embarrassing.
Managing the email on your devices through Office 365 or some other tool is clearly a wise choice. Through these utilities you can force a device to have a passcode and you can restrict the ability to install applications. You can manage your company’s smart devices so that your internal support will not spend significant amounts of time supporting smart devices.
IT departments understand the importance of patches and updates on computers. In the same way you shouldn’t delay installing patches and updates on your smart device. I’m not advocating being a beta tester for these patches and updates but after two to three weeks it would make sense to get these installed. Keeping your devices up to date in order to protect them is just good business.
To see what is available for managing your smart devices simply search for “smartphone management tools” and you will find lots of choices. We can help you with this as well 336-632-0860.