Posts

Cyber Threat Series Overview

Protecting your network, systems, apps, data, and people is no easy task as the scope and variety of attacks continues to multiply.  You want and need to protection, but must make smart buying and decisions. Too little or too much means higher risk or unnecessary cost.

We see your business as a target not because we know cyber criminals have you in their sights, but because most cyber attacks throw a wide net and catch those who are unprepared. Appropriate measures to prevent, protect, and respond to cyber attacks has business value and should be part of your IT strategy and plans.

As a series of blog posts, this Cyber Threat Series intends to educate and inform. We will cover the types of risks and attacks and how to prevent them. We discuss solutions. We take a pragmatic approach that respects priorities and budgets.

Topics will include


Contact us to discuss your cyber threat protections. The Cloud Advisory session is complimentary and without obligation.


 

Dark Web Threat Alerts

When Your Identity is on the Dark Web

Dark Web Threat AlertsAs a courtesy to our existing clients and prospective clients, we have been running complementary Dark Web Summary Scans of their domains. These summary scans let us know how many email addresses from each domain currently appear on dark web and identity theft websites. We can then perform a more detailed scan and analysis to identify the specific user identities.

The results are fascinating.

Of 200 domains recently scanned:

  • 87.4% had at least one potential identity compromised
  • The average number of potentially compromised identities is 41%
  • 16% of the companies had more exposed identities than users, indicating breaches occurred from multiple sources

What does this mean?

Just because employee@yourcompany.com appears on a dark web or identity theft site does not mean that the user account on your system has been breached.

It does mean, however, that a breach is likely. And, the more exposed identities for your domain, the greater the risk.

How does it work?

Chances are, your employees are using their work email address, employee@yourcompany.com, as their login identity for other systems.  These other systems are often work related services like Uber, Dropbox, online banking, credit cards used for business expenses, etc. Studies show that about 80% of people use the same or substantially similar passwords across systems.

If there is a data leak or breach at one of these third party services, hackers will test the identity on other systems.  If you have an employee whose email and password were leaked in one of the Dropbox incidents, for example, cyber criminals will test that email address and password, along with similar passwords, across common services like G Suite, Office 365, Facebook, LinkedIn, Instagram, and others.

A compromised identity on a third party service can easily lead to a breach of your systems.

What to do:

  • Get the Details:
    Get a detailed scan on your domain to clearly identify which user identities are exposed and at risk.
  • Mitigate Your Risk:
    Work directly with identified staff to reset passwords. Run additional scans on their systems for malware.
  • Communicate:
    Educate, train, and guide users on the risk of identity breach and how to avoid becoming a victim. Provide guidance, coaching, and policies around the use of company email addresses on other systems and best practices for password selection and management.
  • Challenge:
    Periodically test your employees using “honeypot” and “sandbox” methods to determine who is following best practices and who remains susceptible to attack.
  • Monitor:
    Monitor your domain, and personal accounts of key executives, for future issues and respond accordingly.

Next Steps

Your best next step is to contact us (email or web) to

  1. Request a detailed Dark Web Scan
  2. Discuss security education and testing services
  3. Setup on-going monitoring for your domain

 

 

Quickbooks

The QuickBooks Hosting Challenge

QuickbooksQuickBooks is the leading accounting package for small business. And yet, many businesses cannot run QuickBooks Online, the Software-as-a-Service (SaaS) version. Whether the online versions lack industry-specific features you need, or you have integrated third party tools/add-ons, staying with an on-premise version of QuickBooks remains the best solution for your business.

As you move to the cloud, hosting your QuickBooks Pro, Premier, or Enterprise system makes sense. You keep the version of QuickBooks you need and improve accessibility, reliability, security, and resiliency from system failures and disasters.

In general, we find two levels of common QuickBooks hosting options. Looking at these services more closely, we find these services often fail to meet basic needs without expensive upgrades.  Fortunately, we have a third option designed to deliver the business value you need and want.

Basic

Basic QuickBooks hosting services run between $27 and $30 per user per month, with you purchasing and providing the QuickBooks license key. These services start with 1 GB of storage with fees for added storage that add-up quickly. Adding storage you need for reports, exports, etc., can easily increase the cost to the $75-$90 per user per month range. More importantly, your instance of QuickBooks is running on shared servers and on a shared network. As such, you have greater risk for performance issues, security breaches, and outages. In this type of multi-tenant environment, the actions of other can impact your business. These services offer backup, usually once per day with a fixed retention period of 7, 14, 30, or 90 days, depending on the service.

Better

The better QuickBooks hosting services cost between $49 and $60 per user per month, with you purchasing and providing the QuickBooks license key.  These services also start with 1 GB of storage with fees that add up when you need more space. Typical fees quickly creep up to the $95 to $120 per user per month range.  The main difference is that these services generally run your version of QuickBooks on a dedicated server, but still run on a shared network. While this does reduce the chance of interference from other tenants, this model still has your service running in the same security envelope as other companies. You still have a risk. Like the basic services, you have a once per day backup with a fixed retention period that varies with each service provider.

Best

The best solution for hosting QuickBooks will use your license of QuickBooks in the following environment:

  • Dedicated server
  • Private network
  • A usable amount of storage included (100 GB or more)
  • Flexible backup schedules and retention plans
  • Easy access from desktops, laptops, tablets, and smartphones
  • Access to Excel (MS Office) in the hosted environment

We this type of setup, you are more secure, will have better performance, and greater reliability.

The good news is that we can build you this type of environment at a cost comparable to other services, and we can integrate your QuickBooks environment with your Office 365 or G Suite service.


If you are interested in learning more about QuickBooks hosting options, please contact us for a free Cloud Advisor session.


 

Rules and Regulations

Rules, Regulations, and Results

Rules and RegulationsFor Small and Midsize Enterprises (SMEs), the regulatory landscape remains in a perpetual state of flux with changes originating at the Federal, state, and local levels. While some rules and regulations can severely impact your business’ operations, and profitability, many create requirements that you can easily satisfy at a nominal cost.

Three regulations with upcoming deadlines or increased enforcement include:

HIPAA

HIPAA compliance is a requirement for any organization that works with personal health information of individuals — not just medical offices and insurance firms. If you are sharing employee information about benefits, insurance coverage, medical leaves, or other items that involve personal health information (PHI), you have an obligation to protect the PHI. Failure to do so can result in heavy fines and, in a few instances, criminal charges.

Historically, HIPAA compliance has focused on medical practices, insurance, and brokers. We are starting to see audits of non-medical companies, along with fines for those not in compliance. 

Fortunately, you can protect PHI by focusing on the individuals that are authorized or likely to handle sensitive employee information.  By focusing on HR, payroll, and key executive and leadership roles, you can deploy services like message-level email encryption.

What to do:

  • For as little as $5 or $6 per user per month, you can ensure that specific individuals protect PHI and sensitive information while preventing accidental disclosure
  • Contact us for information about encryption, DLP, and other HIPAA solutions.

ELD

Starting December 18, 2017, all interstate trucks in the US must use an Electronic Logging Device (ELD) to track operations and required reporting.  According to the US Department of Transportation (USDOT), fewer than 1/3 of interstate trucks have installed ELDs as of mid-November. Failure to comply can result in heavy fines, impounding of vehicles, and disruption of delivery schedules.

While enforcement is not expected to impact small and midsize trucking firms until late spring or summer of next year, your business can still be at risk.

Here are a few things to note:

  • If you have your own truck(s), they may be classified or registered as Interstate Trucks, even if you only deliver within your state.
  • If you use third parties for shipping, their failure to comply can disrupt your deliveries if trucks are stopped or impounded, or if drivers are pulled off the road.

What to do:

  • Check your own vehicles:
    • Determine if they are properly registered as Interstate Trucks, or if they should be registered as such
    • If you do not have ELDs yet, please contact us for low cost, self-install ELDs with logging software subscriptions
  • Check with your shipper(s):
    • Confirm their trucks, those of their subcontractors, and any owner/operators are properly registered and have ELDs
    • If not, have them contact us for help

GDPR

Effective May 25, 2018, the European Union (EU) General Data Protection Regulation (GDPR) takes effect. While GDPR covers data protection and privacy for citizens of EU member states, treaties allow enforcement in action against US companies operating within the US.

If you have any personal data for citizens of EU member states, you are responsible for GDPR compliance.

GDPR means more than encrypting sensitive data.  GDPR includes processes and procedures for governance, including:

  • A named Data Protection Officer (DPO) responsible for oversight, compliance, and response to individual inquiries. The DPO role can be full time or part time, internal or contracted.
  • You must report suspected breaches within 72 hours of becoming aware of the issue.
  • You need to deploy privacy by design — any new system or change in systems requires primary consideration of privacy and information security.
  • You must be able to demonstrate that you mitigate risk, even in the absence of a privacy breach.

Fortunately for most SME’s the appropriate policy changes and the risk-mitigation technologies need not be expensive of complicated.

What to do:

  • Discuss GDPR with your team, and your legal counsel, to determine your required compliance
  • Provide training, education, and “cultural support” for a data privacy mindset within your organization
  • Review systems storing or processing personal information for security and privacy compliance
  • Select and deploy relevant data loss prevention (risk mitigation) solutions for your environment

Need help? Contact us for more information.


 

Google Drive

Team Drives Launches for G Suite Business, Enterprise, & Education

Google DriveMost file storage solutions weren’t built to handle the explosion of files that are now created and shared in the cloud — because they were initially designed for individuals, not teams. With this amount of shared data, admins need more controls to keep their data safe and teams need to feel confident working together. Team Drives deliver the security, structure and ease-of-use enterprises need by making it easy to:

  • Add new team members. You can manage team members individually or with Google Groups and give them instant access to relevant Team Drives.
  • Keep track of your files if a team member leaves. Team Drives are jointly owned by the team, which means that anything added to Team Drives stays there no matter who comes or goes. Whirlpool Corporation, for example, uses Team Drives to manage file access. Says Troy McKim, Collaboration Principle at Whirlpool Corporation, “If you place files for a project in Team Drives, you don’t have to worry about losing them or moving them when files are re-owned.”
  • Understand and manage sharing permissions. Team members automatically see the same files regardless of who adds or reorganizes them. You can also manage share permissions by defining the restrictions for editing, commenting, reorganizing or deleting files.
  • Manage and view Team Drives as an admin. Admins can see Team Drives for a user and add new members if necessary: “Team Drives also ease the speed at which a team member can onboard and become effective in their new role,” says McKim.

Team Drives are now generally available to all of our G Suite Business, Education, and Enterprise customers.

4 Lessons from the Q4 Data Breach Review

Last week, our strategic partner Privacy Ref held their quarterly review of recent data breaches.  In his presentation, Ben Siegel, CIPM, identified 4 lessons learned from recent data breaches, including: Google Android; Hillary Tentler, CPA; Folsom State Prison; and the Internal Revenue Service.

#1: Unauthorized Mobile Apps Create Risk

Issue: Users can download apps from sites other than the Google Play store. These apps are not “vetted” and gain access to tokens used to control users’ accounts.

Lesson: As the threat is outside of Google’s control, you need to put systems in place to prevent unauthorized apps from access your company’s data via mobile devices.

#2: Local Data is At Risk, Too

Issue: In the burglary of an accountant’s home, three hard drives were stolen and only one was recovered during the arrest.

Lesson: Physical devices, when stolen, can result in a serious data breach; While moving 100% cloud is more secure, it may not be a practical option for your business yet. You should ensure any local data is encrypted and subject to regular backup.

#3: Internal Breaches are Still a Breach

Issue: A file including names, social security numbers, and other sensitive data was saved to a shared location accessible to anybody in the organization.

Lesson: You can protect yourself from internal breaches with solutions that use defined business rules to automatically enforce permission restrictions based on the content of your files.

#4: It is Too Easy to Email Protected Information

Issue: Employees were sending emails with personally identifiable information (PII) clearly visible, in violation of regulatory requirements.

Lesson: You should not rely on people to do the right thing all of the time — mistakes happen and can be damaging and costly. System exist that scan and encrypt emails automatically if they contain sensitive or protected information.


Do you need a privacy assessment or a privacy plan review? Are you ready to better protect your data — on premise and/or in the cloud?

Contact us to discuss your needs.


 

Fast Fact

Fast Fact Friday: Trusting Cloud Security

Fast FactAccording to a recent survey of 950 IT executives and staff members by BetterCloud found that:

IT Execs are 29% less likely than their staff to say their team lacks full control over their SaaS applications

IT Staff are 56% more than their bosses likely to feel they lack full visibility into SaaS applications

IT Staff are 139% more likely than IT Execs to believe the former employees still have access to company data


Are you moving to the cloud? Is your roadmap in line with your business goals? Contact us for a no-obligation Cloud Advisor session.


 

Myth Busting

Myth Busting Monday: Cloud Lacks Security

Office365-Logo-and-textSecurity is still the biggest fear across SMBs considering the cloud.  IT leaders and C-level execs worry about spies, cyberthieves, governments, and vendors access their company’s data. This fear is unfounded.

You are the Sole Owner of Your Data; You Manage and Control Privacy and Access.

Like most reputable and trustworthy cloud providers, Microsoft runs the Office 365 based on several key principles:

  • Microsoft never mines your data for any reason other than to provide you with the Office 365 services
  • Microsoft’s staff does not have access to your data
  • If you leave Office 365, you can always take your data with you
  • You control the security and privacy settings; you determine who has access to what
  • Auditing and supervision prevent your admins from unauthorized access to your data

Beyond the core security and privacy capabilities of Microsoft Office 365, we offer additional configuration, tools, and services to ensure compliance with privacy regulations and/or your internal policies.

Fear not the lesser known security of the cloud. Learn, trust, and go.


This is the sixth of a multi-part series designed to help companies better asses the opportunity and value of cloud-based solutions. Contact us to schedule a free, no-obligation Cloud Advisor session to discuss your priorities and plans.


Fast Fact

Fast Fact Friday: Ransomware Cloud Attacks

Fast FactAccording to the Datto’s 2016 Global Ransomware Report, a survey of 1,100 IT service providers …

70% report Dropbox being the target of the ransomware attack

44% of attacks targeted Professional Services

38% of attacks targeted Healthcare


Are you moving to the cloud? Is your roadmap in line with your business goals? Contact us for a no-obligation Cloud Advisor session.