Year: 2019

Ransomware emails: How to identify

Posted on by Empower

 

 
Ransomware emails: How to identify and steer clear of them
 
Ransomware attacks have suddenly become more prevalent. Each year sees more of them. Hospitals, NPOs, shipping giants, etc., have all been victims of ransomware attacks. Your business could be too! Did you know that emails are one of the most common gateways for ransomware to get into your systems? In this blog, we tell you how you can stay safe by following a few tips.
 
If you think something is amiss, it probably is
Does that email seem unfamiliar? As though you weren’t meant to get it, or it doesn’t quite sound like your colleague wrote it? Perhaps it’s not. Malicious email senders often try to mask actual email IDs with something similar. For example: An email you believe to have come from [email protected] might actually be from [email protected]. So take a good look at the email ID if you spot something ‘phishy’.
 
Attachments and form fills
Does the email contain an attachment that you are being asked to save to your computer? Or an executable file that you are asked to run? Perhaps you are asked to submit your personal details at an authentic looking website. Before you do any of these, check the authenticity of the email and the message. Were you supposed to receive it? Were you expecting an attachment? You might even want to call the sender and confirm if you are unsure.
 
The message seems to instill fear or a sense of urgency
Often, malicious email messages urge you to take immediate action. You may be asked to log onto your ‘banking website’ ASAP to prevent your bank account from being frozen, or enter your ITR details onto a webpage to avoid being fined by the IRS. Real messages from your bank or the IRS will never force or hurry you to do something.
 
Other things you can do
 
Regular data backups
Conduct regular data backups so that in the eventuality of a ransomware attack, you don’t lose your data. Cybercriminals having access to your data is bad enough–it damages your brand and business reputation and can even attract lawsuits from parties whose personal information has been compromised, but, not being able to retrieve all that data in the aftermath of an attack is even worse. Regular backups help you in that regard, plus when you have a pretty recent data backup you are not reduced to the state of helplessness where you HAVE to pay the ransom to retrieve your data.
 
Install an anti-malware tool
Last, but not least, invest in anti-malware tools that can detect malware attacks and alert you before you fall prey to them. Such tools scan emails, links and attachments and alert you if they are found suspicious.
 
No matter how big or small a business you are, ransomware attack is a reality and applies to you. It is better to be prepared than having to cough up huge sums of money to free up your data later and even then there’s no guarantee your data will be restored by the cybercriminal. 

How good is your password

Posted on by Empower

 

 
How good is your password?
 
Did you know that having a weak password is one of the biggest security risks you face? This blog focuses on the best practices related to passwords that you can follow to ensure passwords are not your weakest link.
 
  1. Avoid sequences and repetitions: How many times have you used passwords like dollar12345 or $$$BobMckinley. Passwords containing sequences and repetitions are just easier to hack.
  2. Avoid using your personal data: Do not make your birth date, bank account number or address a part of your password. It puts your data at stake if your personal information is stolen.
  3. Don’t repeat passwords: Make sure you pick unique passwords every time. Unique, not only verbatim, but also in combination. For example, if password one is a combination of number, symbols and letters in that sequence, password two should be letters, numbers and symbols.
  4. Manual password management is not a good idea: Invest in a good password management tool. You can even find some free ones online. But, manually managing passwords, by writing them down on a spreadsheet is a big NO.
  5. Password sharing: Discourage password sharing across the organization. Every employee should have unique access to data depending on their role and authority. Password sharing gets things done faster, but can do irreversible damage.
  6. Password policy: Have a password policy in place and enforce it. Conduct timely audits to ensure the passwords match the specified safety standards. Also, take corrective actions against employees who don’t follow your password policies related to password sharing, setting, etc.
  7. Don’t use dictionary words: Hacking software programs can guess dictionary words faster. The key is to mix things up a little bit–some numbers, some symbols, some punctuation and some alphabets.
Don’t choose passwords that are way too simple just because they are easier to remember, because, more often than not, it can get you into a lot of trouble.

Keeping your data safe: Access Control

Posted on by Empower
 
 
Keeping your data safe: Access Control
 
Cyberattacks are a commonplace today. Malwares such as viruses, worms and more recently ransomwares not only corrupt your data or hold it hostage, but also inflict irreversible damage on your brand and business. As a norm, most businesses these days do invest in anti-virus/cybersecurity systems. But, is that really enough? The answer is–NO. Because, they often overlook one important aspect–access. Ask yourself, how easy is your data to access? How can you strengthen the walls that keep your data safe? Read this blog to find out.
 
Role-based access
Always follow a role-based access permission model–meaning people in your organization have access to ONLY the data they REALLY need. Generally, the higher the designation, the deeper the data access permission and stronger the rights. For example, someone at the executive level may not be able to edit your MIS spreadsheet, but a manager should be able to.
 
Formal password controls
No matter how good your cybersecurity, you need to ensure the protocols are followed at the ground level. Enforce policies regarding passwords strictly and hold violators accountable. Examples include-
  • Password combinations – Ensure your staff follows the recommended best practices when selecting passwords so there are no ‘easy-to-crack’ passwords
  • Password sharing – Thoroughly discourage password sharing across your organization. No matter who asks for it, passwords shouldn’t be disclosed unless authorized as per the protocols.
Don’t ignore physical security
Virtual security is a must, but so is physical security. Though there is only so much physical access controls can do in keeping your data safe in the BYOD era of today, don’t overlook this aspect. Installation of CCTV cameras on-floor, biometrics/card based access to your workspace/server rooms, etc. also have a role to play in data safety from the access perspective.
 
Training & reinforcement
Finally, train…train…train. You need to train your employees on the protocols for data security and access so they don’t mess up accidentally. Conduct mock drills, refresher trainings, follow up with quarterly audits, and use positive and negative reinforcements to ensure everyone takes it seriously. Because, at the end of the day, no cybersecurity software is good enough, if the best practices related to data access are ignored.

Smaller firms less likely to keep up to date on the basics that protect them

Posted on by Empower
 
 
Smaller firms less likely to keep up to date on the basics that protect them.
 
On the never ending problem of cyber security, small firms often do not have any/much in-house IT support. As a consequence, they may be less likely to be able to make sure their software is consistently updated to reflect any patches released by the product’s maker. This simple oversight, deliberate or not, is a major source of data breaches and ransomware attacks.Think back many years to when Microsoft pulled the plug on maintaining Windows XP. Many users refused to upgrade because there were afraid of losing compatibility with other software programs, the unintended consequences of moving to a new OS, or just not being sure how to install an upgrade. Whatever the issue, it meant those users had an operating system that was no longer updated to reflect the latest security fixes. Their operating system became an unlocked gate.
 
You may not be scared of technology, but as a small business owner, tracking the release of new updates or taking the time to install them as soon as they come out probably just isn’t a priority. You have a business to run. Adding to this problem, you may also allow your employees to use their personal laptops, mobile devices, and tablets for work duties. If that is the case, then every program on each of those devices is subject to the owner’s willingness and ability to update everything in a timely fashion. If any single device accessing your corporate files and data misses a security patch and is breached, so is your business.
 
The lesson here is that you need to take action to implement a company-wide process for maintaining all of your software applications so they don’t become an unlocked door in the middle of the night. A managed service provider can develop a plan to address update and security fixes on all the devices that access your data. It can be more than a small business owner can handle, so instead of ignoring the problem, reach out to find real solutions that will protect your business.

Cyberattacks and the vulnerability of the small business

Posted on by Empower
  
Cyberattacks and the vulnerability of the small business
 
You cannot go a day without reading about some big name company or even government agency being hacked and critical data being compromised. What you don’t see in the media is that most of the attacks happen to small firms, and that this is where a lot of the cybercrime is occurring. What any business, but especially a small business, needs to be afraid of are cyber attacks that disable your operations, disrupt customer interaction, or breach your customer’s personal data. Contrary to what one might expect, smaller firms are far more likely to be targets of hackers than large firms. They are also likely to have less sophisticated security measures in place. Any firm’s existence can be threatened by these events, but smaller firms are often unable to rebuild after a major breach. Studies show that customers are less forgiving of smaller firms than larger ones when their personal data has been compromised. The lesson here is that smaller firms are more vulnerable and need to be extremely vigilant. Talk to a managed service provider about some basic steps you can take to protect your business.

Denial is not a solution: Something you owe your customers and your employees

Posted on by Empower
 
 
Denial is not a solution: Something you owe your customers and your employees
 
Why do so many people procrastinate about making a will? Why is it so hard to get young people to buy health insurance? Because it is one of those “probably won’t happen–at least in the foreseeable future, and I‘ve got more interesting things to worry about or spend my money on” issues.
 
Small business owners tend to take the same approach to making business continuity plans in case of a disaster. They are usually fully consumed just running the business and keeping revenues steady and growing. Diverting energies and resources to a “what if” scenario just isn’t an imperative.
 
There are affordable, effective tools out there that will allow any smaller firm to develop effective business continuity plans, but they only work if you take action. Our best advice to overcome denial? Think of this scenario: If something happened right now and your entire operation came to a halt because of a cyber attack, a power failure, data loss, or a single point of failure hardware event, what would you do? Do you even know who you would call in for help?
 
It can be a scary thought, but one that merits your attention. Talk to a managed service provider about a proposal to develop a complete business continuity plan. You owe it to yourself and to all the employees who rely on your for their livelihood.

Limited investment capital and planning for trouble

Posted on by Empower

 

 
Limited investment capital and planning for trouble
 
Small businesses often fail to take the time to make business continuity plans. One aspect of a business continuity plan involves developing plans to handle the loss of physical infrastructure and hardware. Unfortunately, smaller and younger firms often fail to address these issues because they lack the necessary capital to invest in additional or supplemental equipment. Redundant servers, battery back systems or uninterruptible power supplies, and data backup systems that allow for offsite backup storage are the most obvious examples.
 
These can represent considerable capex for a small firm. However, these costs need to be weighed against the costs that would be incurred if a severe business interruption occurred. Encouragingly, new technology is creating tools for redundancy and data protection that don’t require additional hardware investments. The cloud is probably the single biggest savior for small businesses looking to defend against business interruption events. The cloud means you can offload many of your business processes and infrastructure to the cloud and sidestep creating expensive redundancies on your own. Offsite data storage, increased efficiencies as a result of shared data center costs, SaaS, and even data collaboration tools are added cost savings that can be provided by the cloud.
 
So before you throw up your hands and say you cannot afford to address business continuity, take another look. The cloud can redefine the paradigm of “business continuity.”

Data Protection Laws and PIIs

Posted on by Empower

 

 
Data Protection Laws and PIIs
 
Last week we discussed the overall concept of “Data Protection Laws,” which govern the handling and securing of specific data. While these laws are wide ranging, most of these laws reference Personally Identifiable Information (PII) This “refers to information that can be used to distinguish or trace an individual’s identity, either alone or when combined with other personal or identifying information that is linked or linkable to a specific individual.” (https://www.gsa.gov/portal/content/104256) For example, if you possess an individual’s first initial and last name and store it with their credit card number, bank account, SSN or driver’s license number, that becomes a PII.
 
At the Federal level, the United States doesn’t have any overarching and comprehensive data protection laws of the sort that most European nations do, but they do exist and primarily affect individual sectors, such as healthcare. Presently 48 states in the US have some laws requiring private or governmental entities to notify anyone whose data has been breached. In other words, if you possess personal data, you may have a regulatory responsibility to report the breach to both a government entity and the individual victim. Failure to do so may mean you’re in violation of these laws and subject to fines and penalties.
 
So what does this mean for a small business? You need to be aware of the likelihood that you are regulated by such laws and that you have some responsibility to show that you have taken reasonable measures and put in place procedures to maintain the security and integrity of outside data.
 
As a responsible business owner, you have an obligation to be aware of any applicable laws, keeping in mind that your client or prospect data may include PII from those in other states or countries. You also have an obligation to protect that data. Keeping up with the best practices for protecting your important data from hackers and data thieves is an important responsibility of every small business. Contact a Managed Service provider to learn how they can support your business with a complete cyber protection plan.

Are you subject to Data Protection laws?

Posted on by Empower

 

 
Are you subject to Data Protection laws?
 
This blog introduces a new topic that many may be unaware of: Data Protection laws. These are laws that define fully, or in part, what type of data is covered by government regulations, proscribe general standards for the securing of covered data, and may also require notification of victims and governmental authorities in the event of a breach. Small businesses, no matter what product or service they provide, are likely subject to some manner of regulations regarding the storage and use of digital data. For instance, any medical office or organization that handles medical records is subject to HIPAA, the federal law regarding health data privacy. Meeting IT regulations can be expensive and time consuming and they also require timely upgrades. Failure to stay up to date can lead to fines, penalties, and a damaged reputation.
 
Chances are, you are subject to some data protection or data security laws. You are also very likely to be subject to breach notification laws. As a small business you should consider having an audit conducted to determine if you possess data that may be regulated by these laws. Failure to be aware that you are covered by them does not protect you in the event of a data breach.
 
In our next blog, we will discuss one category of information that is the focus of many data protection laws. This category is referred to as Personally Identifiable Information. When you discover what that includes, it will be pretty apparent why protecting this data is important for the integrity and success of your business.

Ransomware part I

Posted on by Empower
 
 
Ransomware part I
 
The daily reports of cybercrime are important reminders about the need to protect your business from malicious behavior that could threaten the success of your business. There are so many different things that can attack your computer, steal your data, and wreck your day. One of the most troublesome has been the development of ransomware. (FYI. Ransomware isn’t actually all that new– some version has been around for decades)  Ransomware is a type of computer virus that takes your data hostage and like any kidnapping scheme, demands money for the release of your data.
 
Why is ransomware so nasty? Because it steals the most important thing your business possesses. Data. Worse, once infected there isn’t generally a way out. No one can “disinfect” your machine. You aren’t going to be able to call in IT support to solve the problem. Basically, you have three options.

  1. Pay the ransom. This payment is usually via credit card or bitcoin (a digital currency). Some ransomware viruses even provide help lines if you’re having trouble. Of course there are no guarantees your will get access to your data–these are thieves you’re dealing with.
  2. Don’t pay and lose your data – This has its obvious downsides, unless…
  3. You have a safe, clean backup. In that case, you are stuck with the nuisance of restoring your data with the backup, but you aren’t out any money. However, this comes with a caveat: your backups have to be clean. The problem with ransomware viruses is that just making backups may not be sufficient to protect your data, as the backups can be infected also. In the next blog, we will address your need to add an additional layer of protection to handle ransomware attacks.

5 Ways SMBs Can Save Money on Security

Posted on by Empower

5 Ways SMBs Can Save Money on Security
 
Small-to-medium sized businesses and large enterprises may seem worlds apart, but they face many of the same cyber-security threats. In fact, in recent years, cyber-criminals have increasingly targeted SMBs. This is because it’s widely known that SMBs have a smaller budget, and less in-house expertise, to devote to protection. Thankfully, there are several things SMBs can do today to get more from even the most limited security budget. And, no, we aren’t talking about cutting corners. Far too often, SMBs cut the wrong corners and it ends up costing them more money in the long run. It’s a matter of taking a smarter approach to security. Here are five smart approaches to take

  • Prioritize – Every business has specific areas or assets critical to its core operations. Seek the input of valued staff and team members to determine what these are. Is there certain data that would be catastrophic if it was lost or stolen? If hackers compromise a network, or prevent access to certain applications, how disruptive would it be to daily business operations? What kind of potential threats or vulnerabilities pose the greatest risk to the company or your customers/clients? Focus on the most likely risks, not theoretical risks that “could happen.” Asking such questions gives you a clearer and more complete perspective as to where to focus available security resources.

  • Develop and Enforce Policies – Every SMB needs to implement a security policy to direct employees on appropriate and inappropriate workplace behaviors relative to network, systems, and data security. Merely drafting this document isn’t enough. Employees must be held accountable if they fail to adhere to policy. Such policies should be updated regularly to reflect new technology and cultural shifts. For example, a document written before social media took off, or before the BYOD (Bring-Your-Own-Device) movement, doesn’t necessarily apply today.

  • Education – Ongoing end user training must be provided. Many security breaches happen because employees fail to recognize phishing schemes, open emails from unknown sources, create poor passwords that are seldom changed, and don’t take proper precautions when using public Wi-Fi connections on personal mobile devices also used for work.

  • Take to the Cloud – Running applications and servers in-house is a costly endeavor. Leveraging the cloud today allows SMBs to cut costs while also strengthening their security. Cloud operators typically have built-in security features, alleviating SMBs of the burden of maintaining security themselves. Today, not only can SMBs shift much of the burden of IT to the cloud, but they can also outsource much of their security by taking advantage of the remote monitoring, maintenance, and security tools provided by Managed Service Providers (MSPs).

  • Don’t Aim for Perfection – There is no such thing as perfect security.  Striving for perfection is expensive and can prove to be more costly in the end.  Improving protection and response would be a more ideal allocation of funds.  It can take a hacker several months to figure out your systems and do real damage.  Having the ability to quickly detect their presence, and mitigate any potential damage they may cause, is a more realistic and less expensive approach than thinking you can completely remove any probability whatsoever of a hacker breaching your system.
 

Four Key Components of a Robust Security Plan Every SMB Must Know

Posted on by Empower
 
 
Four Key Components of a Robust Security Plan Every SMB Must Know
 
Most businesses are now technology dependent. This means security concerns aren’t just worrisome to large corporate enterprises anymore, but also the neighborhood sandwich shop, the main street tax advisor, and the local non-profit. Regardless of size or type, practically any organization has valuable digital assets and data that should not be breached under any circumstances.
 
This makes it the responsibility of every business, especially those collecting and storing customer/client information, to implement a multipronged approach to safeguard such information.
 
Yes, we’re looking at you, Mr. Pizza Shop Owner who has our names, addresses, phone numbers, and credit card information stored to make future ordering easier and hassle free.
 
Today’s SMB Needs a Robust Security Plan
Protecting your business and its reputation comes down to developing, implementing, and monitoring a robust security plan that adequately addresses everything from physical access and theft to the threat of compromised technology security.  This involves defining and outlining acceptable uses of your network and business resources to deter inappropriate use.  Here are four key components to consider.
 
Network Security Policy: Limitations must be defined when it comes to acceptable use of the network.  Passwords should be strong, frequently updated, and never shared.  Policies regarding the installation and use of external software must be communicated.
 
Lastly, if personal devices such as laptops, tablets, or smartphones are accessing the network, they should be configured to do it safely, which can be done easily with a reliable Mobile Device Management (MDM) solution.
 
Communications Policy:  Use of company email and Internet resources must be outlined for legal and security reasons.  Restricting data transfers and setting requirements for the sharing or transfer of digital files within and outside of the network is recommended. Specific guidelines regarding personal Internet use, social media, and instant messaging should also be clearly outlined. If the company reserves the right to monitor all communication sent through the network, or any information stored on company-owed systems, it must be stated here
 
Privacy Policy: Restrictions should be set on the distribution of proprietary company information or the copying of data.
 
Inappropriate Use: Obviously, any use of the network or company-owned system or device to distribute viruses, hack systems, or engage in criminal activity must be prohibited with the consequences clearly noted. Any website that employees cannot visit should be identified if not altogether blocked and restricted. For instance, downloading an entire season of True Blood from a Bit Torrent site isn’t an acceptable use of company Internet resources.
 
Every employee must know these policies and understand the business and legal implications behind them.  Companies must also make sure these policies are clear and understood by all, and most importantly, strictly enforced.
 
Contact us at Empower Information Systems