Monthly Archives

May 2020

Cybersecurity-Best-Practices-to-Keep-Them-Safe

Employees Going Remote? 5 Cybersecurity Best Practices to Keep Them Safe

By | Security | No Comments

The number of remote workers in the U.S. has grown in recent years. In 2012, there were 2.5 million people in the U.S. that were considered remote workers. According to a report published by Global Workplace Analytics, that number jumped to 3.7 million in 2017. And these numbers do not consider self-employed individuals. Is your organization transitioning to a remote work model due to a shift in the way you do business, or in response to an issue outside the organization, such as the COVID-19 global pandemic? If you are responsible for your organization’s network security, you may experience a bit of angst about entrusting employees to make sound decisions to protect the organization’s resources. After all, you can implement all the endpoint security/protection measures possible, but the final trust lies in employees to do the right things. Providing an educational session with a handbook they can keep or easily access will empower them to make choices that keep the organization’s resources protected. If the transition must happen quickly and you don’t have time for cybersecurity training, providing remote employees with key best practices is a good substitution.  

The information below highlights five key actions for remote employees to do to remain safe while working remotely:

 

1. Understand the Risks

Employees may have read about cyberattacks in the news, but not understand the consequences to the organization and the role that they play in minimizing security risks. They should know that while it is true that the IT professionals in an organization are responsible for making sure the organization’s resources are protected from cyberattacks and other unwarranted intrusions, employees in the organization also have a responsibility. This responsibility is greatest when employees work at a location that is remote to the organization. In addition to financials, cybersecurity threats can also impact an organization’s reputation. Employees may think the danger falls on the organization. However, any security fallout for an organization is going to impact its employees. This could be in the form of their personal information being exposed to an unauthorized person or losing their job. The organization may have to reduce its staff size or eliminate business perks to try and recover from a cyberattack. 

An important step is instructing employees to report security issues right away. Let them know who they should contact and how. If an employee contacts you with a security issue, it’s important that you don’t berate them or make them feel bad about the issue. 

2. Safeguard Entry Points

The first step in a cyberattack is the attacker gaining access to the desired assets without authorization. Two common points of entry are weak passwords and exposed hardware. The vulnerabilities in these areas are remarkably simple to resolve.  

Passwords

A list of cybersecurity best practices is incomplete without mentioning passwords. According to the Verizon 2019 Data Breach Investigations Report, weak passwords are the cause of a significant number of cyberattacks. At the very least, employees should use strong passwords. This means using a mix of upper and lowercase letters, numbers, and special characters such as an exclamation point (!) or ampersand (&). Is your password easy to remember? If your answer is yes, it’s probably not a strong password.  Once they decide on a strong password, employees must resist the temptation to use it on multiple devices. If a cybercriminal should discover your password, they may try to use it to access even more information. 

A password that people often overlook is the one that is used to access and manage their wireless router. This device is often installed by a technician with a default username and password. If remote employees haven’t replaced the default values, they should change them right away. The URL to the router and the default connection information may be located on the back of the router. Otherwise, they should contact their provider for the information.

If employees are concerned about trying to memorize strong passwords, they should consider using a password manager. These applications simplify password creation and usage to facilitate security and convenience. KeePass, LastPass, and 1Password are popular password managers. Another good option is to use multiple factor authentications, which involves setting up a secondary device to provide authorization. 

Hardware

Unprotected hardware is appealing to cybercriminals. The installations and configurations implemented by IT department personnel lose their effectiveness when employees neglect to perform general security measures to protect them. They should always lock their computer screens when stepping away from it—even if they’re remote location is a home office. Social media is filled with images of children and pets creating havoc with unattended computers. They may appear entertaining, but these playful acts can cause employees to send an unintended email or open a file. Employees should consider the device they use to connect to your organization’s network or to store information related to your job a valuable tool that should always be protected.

Videoconferencing is becoming a popular method of connecting people in an organization when they are working in different remote locations. Since it also requires a technical connection, vulnerabilities exist. The safeguards for a computer also apply to videoconferencing. In the article, “Video conferencing risks when working at home: 16 ways to avoid them”, Norton provides a list of great tips for working safe while teleconferencing. One important tip they state is to turn off a webcam when it isn’t in use.

3. Use a Secure Connection

One absolute must for cybersecurity is that employees connect to your organization’s network using a secure connection. The safest method is using a virtual private network (VPN). A VPN is a tunnel that provides a haven for digital traffic to travel through when employees are connected to the Internet. As they transmit and receive data, an employee’s location and IP address are concealed and all their data is encrypted so that others are unable to read it. 

Employees should be discouraged from using a public Wi-Fi. They should understand that public Wi-Fi networks typically transmit data unencrypted, which causes a serious risk because it can be intercepted by an unintended party.

4. Protect Your Tools

Employees should only use applications that have been approved by the IT department. Downloading an application or software from the Internet may add adware, spyware, and viruses to your system. If employees will use company-supplied computers, installing anti-virus and anti-malware software and a firewall is critical. They should install these on any personal devices they intend to use for work or to access the organization’s network. It is a good idea that employees remain aware of the latest threats. CSO, a security research company, provides up to date information about current threats that you can pass on to remote employees. 

Employees should think of operating systems as dynamic software since critical updates and patches are constantly being added to improve security and users’ experience. The easiest method of obtaining the updates is to set automatic updates. It may seem annoying, but employees must understand that keeping operating systems up to date helps to keep their systems running efficiently and safely. Employees should also make sure all approved software on their system, including web browsers, are up to date.

5. Be Watchful and Proactive

An employee’s responsibility to safeguard your organization’s resources doesn’t end when they implement the safeguards mentioned above. They should also be watchful for suspicious and unusual activities and report these to the IT department or the organization’s designated cybersecurity professional.

Make sure they know the following:

  • Pay attention to every communication you receive. If an email looks suspicious, don’t click any attachments or downloads associated with it. Common red flags are poor grammar, misspellings, and odd URLs. 
  • Be aware that cybercriminals may attempt to access personal information via email, text, and voice messages.
  • Scams and “phishing” are often related to an existing event. For example, cybercriminals may try to use communications about the COVID-19 stimulus payments to get your attention.
  • If you have a security issue, such as losing a company-owned device or your personal device with corporate data, report the issue right away. 

Summary

The tips presented here are to help employees practice safety while working remotely. An underlying requirement is that you have implemented a robust infrastructure. If you are uncertain about the system currently in place, BACS can assess the specific needs of your organization and help your organization to implement a centrally managed cybersecurity solution that protects its resources. To learn how BACS can help you develop, implement and manage a robust cybersecurity plan, please connect with us at (650) 887-4601 or complete this contact form and we will connect with you.

Cybercrime Can Damage Your Business During and After a Security Breach

Five Significant Ways Cybercrime Can Damage Your Business During and After a Security Breach

By | Security

It Won’t Happen To Me

If you think the size of your business keeps it safe from being a target of cybercrime, think again. Twenty percent of small businesses were victims of cybercrime in the last year with that number only including reported cases, according to The National Cyber Security Alliance. Because most small business owners are afraid to report security breaches, it’s safe to assume that the number is much, much higher. Why do cybercriminals target small businesses? Precisely because believing that cybercrime won’t happen to you makes you easy prey with zero protections in place or grossly inadequate ones.

There are 82,000 new malware threats released every single day, with half of the cyber-attacks aimed at small businesses. You don’t hear about it because the news wants to report on more massive breaches. Plus, many violations are kept quiet by the company for fear of attracting bad publicity, fines, lawsuits, and even for fear of embarrassment.

Adding to this, “it won’t happen to me” mindset is the fact that owners of small businesses also think that because their businesses are indeed small, the consequences of a security breach will also be minor.

Here are five significant ways cybercrime can damage your business during and after a security breach, regardless of the size of your business.

 

  1. A Damaged Reputation

When your clients discover that cybercriminals hacked your data, do you think they will rally around you, or have sympathy for your situation? What if your clients are patients worried about their very personal data? What if you manage their financial information? Will they understand that you could have been more responsible, but instead, you didn’t believe it could happen to you or you didn’t want to spend the money? Will they understand that you could have done better, but you decided to take the risk instead?

News of cybercrime will travel fast on social media, and your clients will demand answers. Will your explanations pacify them? Even though there aren’t protection measures with a 100% guarantee, your clients expect you to put in place as many as are adequate for your type of business. If they find out you don’t, their trust in you will start to erode, damaging your reputation and leading to loss of business over the long-term.

 

  1. Government Fines, Legal Fees, and Lawsuits

Did you know that breach-notification statutes remain one of the most active areas of the law? Data breaches and data privacy are areas of legislation where many senators continue to lobby for “massive and mandatory” rules and fines. If you expose client data to cybercriminals, the courts will not be in your favor. This situation does not only apply only to big corporations: any small business that collects customer information also has the essential obligation to its customers to tell them if they experience a breach. The District of Columbia and forty-seven states have their data breach laws – and they are getting tighter as we speak.

If you’re in financial services or health care, you have additional notification requirements under the Securities and Exchange Commission (SEC), the Financial Industry Regulatory Authority (FINRA), and the Health Insurance Portability and Accountability Act (HIPAA). Among other things, HIPAA stipulates that if a health care business experiences a breach involving more than 500 customers, it must notify a prominent media outlet about the incident. SEC and FINRA also require financial services businesses to contact them about breaches, as well as any state regulatory bodies.

You must ensure you are compliant, and that you remain so.

 

  1. Never-Ending Costs

One breach, one ransomware attack, one rogue employee you didn’t protect yourself against, can create hours of extra work for your already maxed-out staff. Add the cost of downtime due to business interruption and the cost of backlogged work. Then you have the loss of sales plus forensics costs to determine what kind of hack attack occurred and what part of your network and data got compromised. And don’t forget the emergency IT costs to restore you to normal if that’s even possible.

In some cases, you will even pay the ransom with zero guarantees you will get back your data. Add legal fees and the cost of legal counsel to help you respond to your clients and the media. You will disrupt cash flow and blow budgets. You will even be required to provide one year of credit-monitoring services to consumers affected by a data breach in some states.

Research conducted by the Ponemon Institute states that the average cost of a data breach is $225 per record compromised. This figure factors in downtime, lost revenue, recovery costs, fines, legal fees, etc. Do the math for your company. How many client records? How many employees? Multiply that number by $225, and you’ll start to get a sense of how much cybercrime can cost your business.

 

  1. Bank Fraud

If cybercriminals access your bank account and steal funds, your bank will not be held responsible for replacing such funds. Verne Harnish, CEO of Gazelles, Inc., and author of the best-selling book The Rockefeller Habits, found out the hard way.

Hackers accessed his computer and intercepted e-mails between him and his assistant. They used this access to instruct the assistant to wire $400,000 worth of funds to three different accounts. Because Harnish was at the time funding several real estate and investment ventures, this kind of instruction was not unusual to the assistant. With assurances from the hackers posing as Harnish, the assistant made the transfers. And, Harnish didn’t notice because the hackers deleted his daily bank alerts. Harnish never recovered that money, and the bank was not responsible for his loss.

Do you think that no one in your staff is capable of making a single mistake or have a single lapse in judgment?

 

  1. Infecting Your Clients Through You

Locking your data or stealing money from you are not the only motivations for hackers. Some want to use your server, website, or profile to spread viruses and compromise other computers. They can use you to relay spam, run malware, build web pages, or promote their religious or political ideals.

 

Which Protections Should You Have In Place Now?

Now that you understand the possible damages to your business from cybercrime, we recommend you have protections in place to significantly reduce the chances of these types of security breaches happening and to minimize the severity and impact if they do occur.

You should also know there is no way we, or anyone else, can 100% guarantee you won’t get compromised. You can only put smart protections in place to reduce the chances, to protect data, and to demonstrate to your employees, clients, and the lawyers that you were responsible and not careless.

We recommend all small businesses have the following protections in place ASAP.

  • QBRs Or Quarterly Business Reviews And Security Risk Assessments
  • Proactive Monitoring, Patching, and Security Updates
  • Relevant Insurance Policies Review
  • Data Breach And Cyber-Attack Response Plan
  • Ransomware Backup And Disaster Recovery Plan
  • Mobile And Remote Device Security Policy
  • More Aggressive Password Protocols
  • Advanced Endpoint Security
  • Multi-Factor Authentication
  • Web-Filtering Protection
  • Cyber Security Awareness Training
  • Protections For Sending/Receiving Confidential Information Via E-mail
  • Secure Remote Access Protocols
  • Dark Web/Deep Web ID Monitoring

Our preemptive Cyber Security Risk Assessment will give you the answers you want, and the certainty you need.

Pros and Cons of Cloud Computing

The Pros And Cons Of Migrating To The Cloud

By | Cloud, IT Support

Are you looking into transitioning your computer network and operations to the cloud? You probably received confusing and conflicting advice and no real answers to your questions and concerns over security, cost, or whether or not it’s appropriate for your organization.

There isn’t one perfect solution. All available options – be it an in-house, on-premise server or a cloud solution – have upsides and downsides you need to evaluate on a case-by-case scenario. Do not be led to believe that there is only one way of doing things. Sometimes a hybrid solution where some applications are in the cloud, and some are hosted and maintained from an in-house server may be what’s best for your organization.

To start the evaluation process and avoid expensive, time-consuming mistakes, here are the general pros and cons of cloud computing.

 

Pros Of Cloud Computing

 

Lower IT Costs

Decreasing costs is typically the most compelling reason why companies move their network (or part of it) to the cloud. You save money on software licenses, hardware (servers and workstations), and IT support and upgrades. So if you hate continually writing cash-flow-draining checks for IT upgrades, you’ll want to look into cloud computing.

 

Easy Access from Anywhere

Cloud computing gives you the ability to access your desktop and applications from any device, anywhere. Cloud computing gives you the ability to work from remote servers, laptops, and iPads as you prefer while you are at home, at work, or away traveling.

 

Automated Disaster Recovery and Backup


The server in your office is extremely vulnerable to several threats like viruses, human error, hardware failure, software corruption, and, of course, physical damage due to natural disasters. If your office becomes a pile of rubble, but your server is on the cloud, you could be back up and running during that same day just by purchasing a new laptop. This quick recovery would not be possible with a traditional network that uses only physical storage devices.

Cloud platforms are also far more secure and robust than your average business network. They utilize economies of scale to invest heavily in security, redundancy, and failover systems, making them far less likely to go down.

 

Faster, Cheaper, and Easier New Employee Setup

Cloud computing will be more effective for a seasonal workforce environment or one with a lot of employee turnover by lowering the costs and increasing the speed of setting up new employee accounts.

 

Usage Without Ownership

While you use cloud technologies, you have zero responsibility of having to install, update, and maintain the infrastructure itself. This scenario is particularly attractive for companies that are new or expanding but don’t want the substantial cash outlay required to purchase and support an expensive computer network.

 

“Greener” Technology


Cloud computing saves on power and your electric bill. For smaller companies, the power savings will be too small to measure. But, for the larger companies that have multiple servers running 24/7/365 and that are continually cooling off a hot server room, the savings are considerable.

 

Cons Of Cloud Computing

 

The Internet Goes Down

Even with a commercial-grade Internet connection and with a secondary backup connection, there is always the chance that at some point you will lose Internet connectivity and not be able to perform your work.

 

Data Security Concerns

Many people don’t feel comfortable having their data in some off-site location. When choosing a cloud provider, find out their data storage locations, how they encrypt your data, how they assign access, and how you can get your data back when needed.

 

Compliance-Related Issues

Several laws and regulations require companies to have full control, protect their data, and even certify that they know and have control over who accesses the data, who sees it, how it is stored, and where it is stored. Examples are Gramm-Leach-Bliley, Sarbanes-Oxley, and HIPAA,  In a public cloud environment, this can be a problem because many cloud providers won’t tell you precisely where they store your data.

Most cloud providers have SAS 70 certifications. These certifications allow them to describe their environment, how and where data enters, and how they process the data. Still, as the business owner, it’s your neck on the line if the data is compromised, so it’s essential to ask for validation that they are meeting the various compliance regulations on an ongoing basis.

 

Migration Gotchas

In addition to pros and cons, there are some migration-related hitches you need to know about transitioning to a cloud-based environment. When done right, a migration to a cloud solution should be like any other migration. You need to have a plan, determine and meet the necessary prerequisites, and iron out the quirks once you make the transition.

Every company has its unique environment, so it’s practically impossible to try and plan for every potential pitfall; however, here are some important aspects of migration you want to ask your IT consultant about before leaping.

 

There Can Be Downtime

While some businesses cannot afford any downtime, others can do without their network for a couple of days. You want to communicate your specific needs regarding downtime and to make sure your IT provider has a well-thought-out plan to prevent extended that preferred length of time.

 

Performance Can Be Painfully Slow

Before making the full migration, make sure to run your network in a test environment. Imagine your frustration if you find that everything runs so slow you can barely work after you have migrated. Since every situation is slightly different, it’s best practice to test before you transition fully.

 

3rd-Party Applications Could Fail

If your organization has plug-ins or integrations into other applications, make sure you test to see if that everything still works in the new environment.

 

We recommend a Cloud Readiness Assessment before you migrate to the cloud consisting of a complete review and inventory of your company’s current network, backups, and technologies. It will answer the following questions.

  • Can cloud technologies eliminate the cost, complexity, and problems of managing your in-house server and, at the same time, give you more freedom, lowered costs, tighter security, and instant disaster recovery?
  • Are your IT systems safe from hackers, viruses, and even rogue employees?
  • Are your backups configured so you could be back up and running again fast in the face of a disaster?
  • If you already use some cloud technologies, are you protected from the harm, lawsuits, or financial devastation that security leaks, theft, data loss, hacks, or violating ever-expanding data privacy laws could bring?

Having these answers will guide your company to higher efficiencies and profits, better strategic plans, and more tools and systems to fuel growth.