Posts

Security Best Practices to Protect Your Admin Accounts

/in ,

Data Protection & SecurityIn any client environment, it is critical for you to protect your admin account with current security best practices. Most cloud services have multiple levels of admin accounts, including a super admin with the ability to access, manage, and change every configuration and security settings.  In many cloud services, “super admin” accounts also have blanket access to your data.  In effect your super admin and admin accounts hold the keys to your kingdom.

Protecting and managing admin accounts is critical for keeping your data and your business secure.

Here are four security best practices for managing and protecting admin accounts.

1 Multi-Factor Authentification

While we recommend multi-factor authentication (‘MFA”, also known as Two Factor Authentication or Two-Step Verification) for all user accounts, the added protection of MFA is critical for super admin and admin accounts.  MFA helps to protect your admin account by preventing somebody from using stolen or compromised credentials to access your cloud services, your data, and your business.

For Super Admin accounts, consider a FIDO-compliant security key.  These keys, or fobs, are physical devices that provide a timed access code required to log in. Keys provide the most secure method for multi-factor authentication, and are our number one recommendation when it comes to security best practices for administrator accounts.

2Secondary Super Admin Access

Even a super admin account can be lost or compromised.  Should this happen, you need a way to perform critical admin tasks while you recover the super admin account.  You have a few options, as follows.

  • Create a second, dedicated, super admin account.  While this comes with a licensing cost, you are not giving additional privileges to other admins or users.
  • Assign super admin rights to an existing admin or user. You avoid any increased fees, but grant privileges which can be accidentally or intentionally misused. These privileges can include access to sensitive data, archives, and the ability to alter security settings.
  • Engage your cloud partner/reseller. If your cloud partner/reseller has the ability to recover super admin accounts and/or reset super admin passwords, make sure you have a service or support agreement in place that covers admin account password reset and account recovery.

3Force Logout Super Admins

Day to day admin services can and should be performed by Admin accounts with permissions to perform specific sets of tasks.  User your Super Admin account for specific administrative and security tasks not permissioned to other Admin accounts.

As a Super Admin: Log in. Perform the specific task. Log out.

If possible, set your system to automatically log out Super Admin accounts if idle for a short period of time.

4Privileged Access Management

Our final best practices to protect your admin account includes Privileged Access Management, or PAM, which limits access to critical security and administrative functions. Permission is granted to specific functions, upon request by another Admin or the system, for a limited amount of time. Using PAM provides additional tracking of who/when/why for critical settings and tasks.

Call To Action

Take a look at your cyber security. Complete our Rapid Security Assessment (free through June 2023) for a review of your basic security measures.

Contact us or schedule time with one of our Cloud Advisors to discuss your cyber security protections and/or your broader security needs, priorities, and solutions.

About the Author

Chris CaldwellChristopher Caldwell is the COO and a co-founder of Cumulus Global.  Chris is a successful Information Services executive with 40 years experience in information services operations, application development, management, and leadership. His expertise includes corporate information technology and service management; program and project management; strategic and project-specific business requirements analysis; system requirements analysis and specification; system, application, and database design; software engineering and development, data center management, network and systems administration, network and system security, and end-user technical support.

5 Strategies for How Technology Can Improve Collaboration in the Workplace

/in

A work environment that doesn’t encourage teamwork and collaboration is one of the top 5 reasons people quit their jobs, according to research by Ernst & Young. Many businesses face growing workplace collaboration needs with aging technologies, making it vital to ask the question, how can technology promote collaboration and teamwork?

We need modern technology for team solutions — secure, reliable, scalable, and cost-effective — that make workplace collaboration efficient, effective, and enjoyable.

Here are 5 Technology Strategies to Help Improve Workplace Collaboration

Workflows can be improved by digital collaboration in the workplace in a variety of ways. Here are five proven strategies how technology can improve collaboration in the workplace.

1. Use a Chat-Based Workspace to Improve Collaboration

Team members often get stuck waiting for the feedback and sign-off they need to drive a project forward. Back-and-forth scheduling for conference calls burns up time and energy. When they finally do get on a call, edit documents, and send out the revised versions, they’re often stuck waiting again for sign-off.

Workplace productivity changes when your team can quickly get coworkers and decision-makers on group or private chat, or in an online meeting with co-authoring. Teams can review, discuss, edit, and approve documents in real time, and workplace collaboration will vastly improve.

2. Improve Online Meetings

Technology mishaps should be a thing of the past, especially struggling to participate in virtual meetings.  Too often, difficulty with connections or the joining process interrupts and delays meetings. These problems discourage people from working together and creates a barrier for our increasingly mobile workforce.

Empower employees to have better meetings with a single meeting application that integrates with the rest of your collaboration and productivity software.

online meetings can improve workplace collaboration

A positive meeting experience produces positive results for you and your organization, which is another benefits of modern workplace technology for team collaboration.

3. Break Down Work Silos and Improve Collaboration

All too often, team members are heads-down in their work and unaware of the knowledge and efforts elsewhere in your business. Lack of information and duplication hurt morale and have a material cost to your business.

Using a social network tool brings conversations online. Your team uses social networking in their personal life; bringing social tool into your business provides a means for your team to share ideas, information, and interests. With remote and hybrid workers, you can encourage and capture the informal conversations that foster collective intelligence, collaboration, and innovation.

4. Simplify File Sharing

Haven’t we had enough of emailing files and waiting for feedback and revisions.  The process of juggling messages and multiple copies with edits is an inefficient relic from the days of typewriters and routing slips.

Take advantage of the collaboration features of cloud-based file services:

  • Access documents anywhere, whether online or offline
  • Collaborate in a single document that’s always up to date
  • Seamlessly share large files
  • Use built-in chat functionality to discuss edits within a document
  • Control permissions of contacts inside and outside the company

5. Move from a Patchwork of Apps to a Productivity Suite

In our new mobile society, we are accustomed to downloading apps at home and in the office. The result: a hodge-podge of applications that all do different things, have different sign-ins, and may not deliver the security and compliance you want and need. By utilizing productivity tools, you will be better prepared for changing work environments and will be able to collaborate more effectively with the assistance of modern technology.

Conclusion on How Technology Can Improve Workplace Collaboration

Moving to, and fully utilizing, a productivity suite gives your team the right digital tools to get their work done, the resources to communicate and collaborate, the integration to eliminate duplicate data and effort, and the security to protect your information, your people, and your business. Do not just deploy technology and hope for better workplace collaboration; help your team understand the apps, tools, and features they can use to be more efficient, productive, and successful.

For more on the topic, check out the eBooks and whitepapers in our Library. Better yet, schedule an introductory call and connect with our team of Cloud Advisors.

4 Approaches to Better Meetings and Effectiveness

/in

Without a doubt, meetings remain an essential part  of running your business. They ensure your teams stay on the same page with the information they need to get things done; they connect you with your customers; they help build stronger relationships. Unfortunately, meetings can also waste time and resources—ultimately costing your business.

Here are 4 Ways How to Make Meetings More Effective

1. Define the need

The first step for how to make meetings more efficient comes down to defining the need. If you’re approaching meetings without a clear agenda they will often be unproductive.  In order to improve workplace meetings, ask yourself these 6 questions to determine whether a meeting is necessary.

  1. What is the action item of the meeting: decisive or informing?
  2. What is the size of the meeting?
  3. Is the meeting simply to inform a handful of people, can a memo or email share the information?
  4. Will the meeting solve a problem?
  5. Is there a better alternative, such as using a tool with real-time chat or team announcement features?
  6. Will canceling a meeting negatively impact your employees’ abilities to complete their work?

Once you’ve determined the answers to the six questions above, you’ll be one step closer to better meetings.

2. Simplify Meetings for Success

A positive meeting experience produces positive results for you and your organization.

  • Follow a clearly planned agenda to minimize distraction from your primary purpose and keep your meeting on track
  • Make your expectations crystal clear, and this includes expectations for meeting participation
  • Keep meetings short to improve how employees do their jobs and help steer tangential discussions back on track
  • Ensure all members understand their role to create accountability and produce better meetings

3. Meet like a pro

Lessons learned help improve success, particularly with growing use of inclusive and modern meeting technologies for collaboration. Below we describe approaches to planning meetings for more effectiveness.

  1. Provide a clear agenda
  2. Keep time in mind: start and end on time
  3. Ease the burden of not-taking by recording or capturing a transcription of the meeting
  4. Provide visuals to help members follow along
  5. Send a post meeting recap: Reiterate key discussions and decisions; thank members for participating
  6. Define clear action items and outcomes

Another strategy that you can use to meet like a pro is educating employees on what the 4 P’s of effective meetings are. Purpose, Product, People, and Process are the four Ps required to run an effective meeting. These serve as an excellent model for making meetings more effective and successful.

4. Manage online meetings

Online meetings are here to stay, and are a key way to improve work from home if you have any remote workers. If managed well with a proper approach, online meetings create new possibilities for involving team members and sharing information through digital collaboration.

  • Ensure everyone has the right technology, invites, and call-in info.  Make sure attendees will be able to see, hear, and speak clearly
  • Keep attendance focused on those that need to be there, avoiding unnecessarily large meetings
  • Welcome members and outline how you plan to manage interactions, who speaks when, and use of the chat window
  • Use the mute features to minimize distractions
  • Keep your meeting secure using passwords and other features
  • Reduce uncertainty by recording the meeting or keeping a transcript for future reference

Conclusion on How to Make Meetings More Effective

Meeting attendees will follow your lead, so make sure it’s a strong one. By continuously honing your meeting strategies and skills, monitoring what does and doesn’t work, and actively pushing to convert decisions into action, your meetings will become more effective over time.

For more on the topic, check out The Ultimate Meeting Guide. To review your meeting tools, conference room setups, and methods, schedule an introductory call and connect with our team of Cloud Advisors.

Phishing Attacks Spike Amid COVID-19 Crisis

/in

Cyber AttackIt should be no surprise to you that we are seeing a surge in phishing and other cyber attacks, as criminals look to take advantage of the COVID-19 crisis. A sample of recent news reports illustrates the scope of the problem.

  • In April, the FBI issued a warning about COVID-19 stimulus package scams (CNET).
  • In mid-April, Google reported the daily volume of malware and phishing attack emails jumped to more than 18 million per day (The Verge).
  • Last week, TechRepublic reported a surge in phishing emails trying to exploit DocuSign and COVID-19.
  • Hackers are impersonating Zoom, Microsoft Teams, and Google Meet for phishing scams (The Verge 5/12/20).

Understand the Risk

The risk to your business, employees, and customers is greater at time when your systems may be less secure.

If your employees are using home computers while following stay-at-home orders and guidance, your risk of falling victim to an attack is significantly greater.  Most home computers do not have commercial-grade, next-generation endpoint protections and many run outdated versions of the consumer-grade products installed.

CPR is Still the Best Practice

Our model remains the best, holistic method of avoiding attacks at the human and tech levels, and for responding should something slip through.

Communicate & Educate

  • Remind your employees to be on the look out for suspicious emails, phone calls, web links.
  • Encourage your team to get help and verification if a message or interaction appears or feels suspicious in any way (better safe than sorry).
  • Consider testing employees with simulated attack messages and identify those that may need additional training and guidance.

Prevent & Protect

  • Deploy multi-factor authentication (MFA) and, optionally, single sign-on (SSO) services to prevent the use of compromised accounts.
  • Install Advanced Threat Protection solutions for inbound and outbound email to catch phishing, ransomware, and other illegitimate message.
  • Deploy “next generation” endpoint protection on computers and mobile devices to detect, prevent, and undo damage from dangerous files and applications.
  • Put Web and DNS protection services in place to prevent downloading attacks from hacked websites and identity impersonation.
  • Monitor the “dark web” for direct and third party breaches that may compromise your employees’ business accounts.
  • Take advantage of data loss prevention features built into G Suite and Microsoft 365, and consider tools to identify and prevent unauthorized access, permission errors, and data loss.
  • Eliminate the use of “shadow IT” services, particularly free or consumer-grade services by providing those capabilities to employees and making sure they know how to use them.

Restore & Recover

  • Ensure that you back up and can recover your data, regardless of location.  Your data is not just on your physical or virtual servers, it resides in your Microsoft 365 or G Suite environment, in SaaS applications like Salesforce, on desktops and laptops, and on mobile devices.
  • Put business continuity systems in place with affordable services that let you spin up and run images of your servers and workstations in a cloud data center while you recover your primary systems.
  • Have a breach response plan and service in place as an increasing number of attacks are stealing information, as effective data breach response involves:
    • Forensic analysis and recovery
    • Legal compliance with reporting requirements
    • Legal strategies to minimize liability
    • Increased customer service demand
    • Communications with customers, stakeholders, and the media
    • A potential need to provide consumer protection services
    • Cyber Insurance claims management

Fortunately for most businesses, putting these protections in place is affordable and can be done with minimal impact on your employees and their productivity.  Understand your needs, assess the value proposition (include the risks and costs of doing nothing), and deploy a solution that is the best fit for your business.

Please contact us for assistance as you evaluate your risks, needs, priorities, and solutions.

 

Customer Notice: Email Advanced Threat Protection

/in ,

Data Protection

(Updated January 20, 2020)

We continue to witness the devastating impact of ransomware, crypto attacks, and other forms of cyber attacks on our customers.  The recovery cost and frequency of attacks are increasing at alarming rates. The average cost for a small or midsize business (SMB) to fully recovery from a cyber attack has increased to between $145,000 and $180,000. This includes loss of direct business, remediation costs, damage to reputation, and employee downtime.  At the same time, the number of ransomware attacks so far in 2019 has doubled when compared with the same period in 2018.

As a managed cloud service provider, you have heard from us that you “should” have more protections in place. Our position is changing: these protections are a “must”.

Multi-factor authentication (MFA) and email Advanced Threat Protection (ATP) are necessary, baseline services for protecting your business. 

Beginning April 1, 2020, we will require and will begin adding Advanced Threat Protection to all of our customers’ email service unless you specifically opt out. If you opt out, the cost of our data recovery efforts will not be covered under our unlimited support plans (See our Support Services SLA). When we add ATP to your service, we will discuss with you when we can add MFA.

We will mitigate the cost.

We are sensitive to your budget.

  • ATP requires a technical setup and typically incurs a setup fee along with the monthly or annual subscription.  We are discounting both the setup and subscription fees for all customers. For customers requesting Priority Opt-In, we will waive the ATP related setup fees completely.
  • MFA implementation is covered by our support plans as an administrative change.  If you do not have on of our support plans, we will provide an affordable, discounted quote for the project.
  • For customers without an unlimited support plan and/or those that choose to Opt-Out, we will discount our hourly fees for recovery work.

For more information on specific discounts and pricing, and to let us know if you want to Opt-In, to have Priority Opt-In, or to Opt-Out, please visit this web page and complete the form.

We realize that this is a significant change for most of our customers.  We also understand the importance of these protections.  Please contact us with questions or concerns

Thank you for being part of our community,
Allen Falcon
CEO & Pragmatic Evangelist

Best Practices: Policies for Using File Sync-and-Share Services

/in ,

File sync share
One of the most popular cloud applications for small and mid-size enterprises is file sync-and-share. It makes sense: people need to share files and most file sync-and-share services are easy to install and use.

If not properly managed, however, file sync-and-sharing can result in data breaches and loss, and can place your company in legal jeopardy.

To minimize these risks, we recommend all businesses enact a simple set of policies that are easy to communicate and explain … and easy to follow.

  • Employees may use file sync-and-share services, provided they have an business need to do so, use only company approved and managed services, and adhere to company policies.
  • Only company approved services should be used for file storage and sharing; employees may not use free, consumer, or public apps or services.
  • Employees must keep their usernames and passwords for file sync-and-share services secure, and must manage these passwords in accordance with company policies.
  • Only relevant business information may be stored are shared using the company’s file sync-and-share services.
  • Unless otherwise instructed, file sync-and-share services are intended for temporary sharing of files. Original versions of files should reside on company file servers or services.
  • Access to files should be removed, particularly by external parties, when no longer necessary.
  • Copyrighted, private, or secure information should only be shared if both the sender and recipient are authorized to view and/or use the information. This information should be encrypted by the file sync-and-share service, or a separate tool, before it is shared.
  • The company’s file sync-and-share services are subject central administration and management, including access controls and permissions.
  • Use of the company’s file sync-and-share services is subject to all relevant company policies regarding professional and personal conduct. The company’s file sync-and-share services are subject to company monitoring in accordance with company policies.

With these policies in place, you can provide employees with vetted file sync-and-share services both meet employees’ needs to share and collaborate, while protecting your data, your regulatory compliance, and your business.

Why Google Changed the Mobile Search Game

/in

mobilegeddon
Guest Post: Matt Ward
President/CEO of inConcert Web Solutions

In case you are not aware, Google changed the game on April 21st as it pertains to search results on mobile devices.  Having announced the changes in February, mobile search results give preference to sites that are mobile friendly.

To be frank, Google rarely ever tells the public that there will be an update.  They are very secretive about their algorithm, keeping their secret sauce a secret to prevent anybody from “gaming” the algorithm. With these changes, Google clearly wants businesses to use best practices.  Google stated that they made these changes to improve the overall user experience on mobile devices, as mobile is becoming increasingly the method by which users access the internet and search for goods and services.

Fact and Fiction

With all the hype about “mobilegeddon”, let’s separate fact from fiction.

  • Fact:
    • They set the date, and rolled out the new algorithm on April 21st
    • They created a huge buzz
  • Fiction:
    • Your site will be banned from Google
    • This change also affects the desktop search
    • Google will call you to sell you and upgrade

Best Practices

Needing to make sure your site is mobile-friendly, let’s talk about a few best practices:

  • Contact your current web developer and ask questions about your site and any changes that have been, or should be made.
  • Don’t rely on cold calls from strangers to guide you on this change.  There are a lot of self-proclaimed “experts” calling into companies with no knowledge of their websites. These are typically automated robo-calls that imply that Google is calling. Google is not going to call you about updating your web site.
  • Test your website to be sure its mobile-friendly.
    • If it passes, great!
      • Test your site again every quarter.
      • Things change in mobile devices and technology; don’t assume if you test it once, it’s not going to ever change.
    • If not, focus your web efforts on getting your site converted.
      • It may cost less to produce a new, mobile-friendly website than to convert your existing site.
      • There are many paths to a mobile friendly site.  The cheapest path is not always the most cost-effective.
    • Focus your mobile-friendly version on driving calls to action, either clicks or calls.
      • Most site visitors on cell phones want to click and call a business, which is often easier then web surfing on a small screen.
      • Make sure you menu structure is clean and easy to follow.
      • Your most important information and calls to action should show up first

With some testing and updating, you can ensure that not only will your site be found by Google’s mobile search, but that visitors will enjoy visiting your site.

If you want to speak with an expert, please contact Matt and his team at inConcert Web Solutions. Specializing in web design & development, maintenance & marketing plans, and print & promotional services, the team at inConcert will gladly help you choose the best approach for your site and your business. 

 

 

 

Microsoft Acknowledges Security Best Practice Failures

/in


It was an easy post to miss in the run up to the Thanksgiving holiday.  On November 25, we posted the results of an Electronic Frontier Foundation (EFF) survey detailing how Microsoft fails to meet 4 out of 5 security best practices for its cloud service data centers and its customers’ data (Google and Dropbox were the only vendors surveyed that meet all 5 criteria).

This week, Microsoft acknowledged that not all customer data is encrypted in their data centers — at rest, or in transit within and between data centers.  In a ZDNet article dated December 5th, Chris Dunkett reports that Microsoft will not fully protect stored user data until the end 2014.

The article also quotes Brad Smith, Microsoft general counsel and executive vice president, legal and corporate affairs, stating that Microsoft will work “…with other companies across the industry to ensure that data traveling between services — from one email provider to another, for instance — is protected.”  Microsoft is acknowledging that they currently do not run STARTTLS services, and industry security best practice.

While Microsoft is actively positions itself as the “enterprise knowledgeable” competitor to a “consumer-centric” Google, pointing out how Microsoft runs its own large data centers. Once again, however, Microsoft fails to realize that the methods and practices used to run their own data centers do not translate to multi-tenant data centers hosting customer data.