Posts

Zoom Privacy Policy is a Risk

Updated 4/05/20

Updates:

  • 5/05/20: Zoom posted an updated Privacy Policy, back dated to 3/29/2020.  This policy clarifies Zoom’s actions and intents and changes some terms and conditions, indicating that Zoom is now doing the right thing with your personal data.  Zoom has also expanded users’ ability to use passwords and waiting rooms to control meeting access.  We still recommend reviewing the policy and using the “do not sell” process.  We also recommend using conferencing systems within your productivity suite, Office 365 or G Suite, as these are secure and integrate with your email, calendar, and file services.
  • 4/01/20: MIT Tech Review summarizes the security issues with Zoom, including information about a Class Action Lawsuit.
  • 3/31/20: Vice.com reports that Zoom is leaking personal emails and photos to strangers.
  • 3/31/20: The Intercept reports that Zoom is not using End to End Encryption as claimed in their marketing materials and user interface. 
  • 3/31/20: New York Times reports that Zoom, the videoconferencing app whose traffic has surged, is under scrutiny by the New York attorney general’s office for its data privacy and security practices.
  • 3/30/20: FBI Warns of Teleconferencing and Online Classroom Hijacking During COVID-19 Pandemic

On March 18, 2020, the Zoom.us posted changes to its privacy policy that impact all users, even those without accounts attending meetings as guests.  This change follows a dramatic increase in Zoom users (and stock price), as Zoom has been offering its services for free to many businesses and schools.

Under this version of the Zoom’s privacy policy, Zoom is collecting more information, in our assessment, than is necessary to provide users with the service. Zoom also acknowledges providing this information to third parties. The information Zoom is collecting includes, but is not limited to:

  • Name, physical address, and other similar personally identifying information
  • Information about your job, such as your title and employer
  • Your Facebook profile information (when you use Facebook to log-in to Zoom or to create a Zoom)
  • General information about your product and service preferences (including software installed and/or in use on your computer)
  • Information about your device

Per Zoom’s policy, downloading and using the Zoom app provides Zoom with consent to share any personal information they collect with third parties.

In reference to the use of third party services, the policy states

“We use these tools to help us improve your advertising experience (such as serving advertisements on our behalf across the Internet, serving personalized ads on our website, and providing analytics services).”

In other words, Zoom may use the personal information of any person using their services to market to that person across their use of the Internet.

Additionally, we do not see any effort by Zoom to determine the age of individuals using the service, so they are likely collecting and using the personal information of children.

Vice.com is reporting that Zoom’s iOS app sends data to Facebook even if you do not have a Facebook account.

Impact

Our current assessment of the impact is as follows:

  • Data collection is based on the way each meeting participant enters the meeting.  Even if the organizer is on a paid and secure business or education edition, meeting attendees using the free client or entering as a guest are subject to dating mining and sharing.
  • For businesses and schools, some of the data Zoom collects and shares is prohibited under the Children’s Online Privacy Protection Act (COPPA).
  • For schools and libraries, not using the K12 version of Zoom for faculty and students may result in violations of the Children’s Internet Protection Act (CIPA)
  • Zoom does provide a means for users to instruct Zoom to “Do not Sell” their personal information. This help with California Consumer Privacy Act (“CCPA”) and  EU’s General Data Protection Regulation (“GDPR”) compliance.  It may not be practical to advise all meeting attendees of this option.

In short, Zoom’s privacy policy may conflict with your business’ privacy policy and how you manage and respect your customers and their data. The policy may also create regulatory and legal issues.

Recommendations

If you organization uses G Suite or Microsoft Office 365, you already have the ability to securely conduct audio and video conferencing with services that do not mine and share attendee data.

  • G Suite
    • Hangouts Meet (the new service) is secure and HIPAA compliant.  Individuals outside your organization can join via shared URL, without providing personal information. Through June 2020, Google has enabled all G Suite users to conduct meetings with up to 250 participants and provided organizers with the ability to record meetings. Participants can mute their own audio/video and can present to the meeting. Meeting include dial-in numbers and pins to allow access from phones.
    • Participants can join via web browser or use the free iOS and Adroid Apps.
    • Traditional Hangouts and Chat, while not HIPAA compliant, are still secure and work within organizations and with guests.
  • Office 365
    • Teams (and formerly Skype for Business) is a secure video/audio conferencing service with screen sharing, waiting rooms, and other helpful features.  As with all of Office 365, Teams can be deployed to meet HIPAA compliance. Teams does not collect and share personal information.
    • Teams, by default is device-to-device conferencing.  You can add the ability for individuals to connect by phone for a small monthly fee for each meeting organizer that needs this function.
    • Participants can join via web browser, or use the free apps for Windows, Mac, iOS, and Android.

Before adding another service or tool for audio/video conferencing, take full advantage of the services you have. Contact us if you need help with user training and support.

If you are not using G Suite or Office 365, several communications and conferencing services are offering secure, free access for up to 90 days.  These include, but are not limited to, Dialpad, UberConference, Ring Central, and Cisco WebEx. Please contact us for help selecting and deploying the right service for you and your teams.

 

Data Protection

Customer Notice Update: Email Advanced Threat Protection

Data ProtectionGiven the demand and need to improve your protection from the devastating impact of ransomware, crypto attacks, and other forms of cyber attacks we are extending the Advanced Threat Protection Priority Opt-in discount period through March, 2020. We understand that adding a service, even a critical service, impacts your budget and costs. Our Priority Opt-In discounts, and other measures (see below), intend to minimize the impact.

Email Advanced Threat Protection (ATP) and Multi-factor authentication (MFA) are necessary, baseline services for protecting your business

Beginning April 1, 2020, we require Advanced Threat Protection for all of our customers’ email service, unless you specifically opt out. Opting out is appropriate if you already have an advanced threat protection service in place.

If you opt out, the cost of our data recovery efforts will not be covered under our unlimited support plans (See our Support Services SLA). When we add ATP to your service, we will discuss with you when we can add MFA.

We will mitigate the cost.

We are sensitive to your budget.

  • ATP requires a technical setup and typically incurs a setup fee along with the monthly or annual subscription.
  • We are discounting both the setup and subscription fees for all customers. For customers requesting Priority Opt-In, we will waive the ATP related setup fees completely.
  • MFA implementation is covered by our support plans as an administrative change.  If you do not have on of our support plans, we will provide an affordable, discounted quote for the project.
  • For customers without an unlimited support plan and/or those that choose to Opt-Out, we will discount our hourly fees for recovery work.

For more information on specific discounts and pricing, and to let us know if you want to Opt-In, to have Priority Opt-In, or to Opt-Out, please visit this web page and complete the form.

We realize that this is a significant change for most of our customers.  We also understand the importance of these protections.  Please contact us with questions or concerns

Thank you for being part of our community,
Allen Falcon
CEO & Pragmatic Evangelist

Data Protection

Customer Notice: Email Advanced Threat Protection

Data Protection

(Updated January 20, 2020)

We continue to witness the devastating impact of ransomware, crypto attacks, and other forms of cyber attacks on our customers.  The recovery cost and frequency of attacks are increasing at alarming rates. The average cost for a small or midsize business (SMB) to fully recovery from a cyber attack has increased to between $145,000 and $180,000. This includes loss of direct business, remediation costs, damage to reputation, and employee downtime.  At the same time, the number of ransomware attacks so far in 2019 has doubled when compared with the same period in 2018.

As a managed cloud service provider, you have heard from us that you “should” have more protections in place. Our position is changing: these protections are a “must”.

Multi-factor authentication (MFA) and email Advanced Threat Protection (ATP) are necessary, baseline services for protecting your business. 

Beginning April 1, 2020, we will require and will begin adding Advanced Threat Protection to all of our customers’ email service unless you specifically opt out. If you opt out, the cost of our data recovery efforts will not be covered under our unlimited support plans (See our Support Services SLA). When we add ATP to your service, we will discuss with you when we can add MFA.

We will mitigate the cost.

We are sensitive to your budget.

  • ATP requires a technical setup and typically incurs a setup fee along with the monthly or annual subscription.  We are discounting both the setup and subscription fees for all customers. For customers requesting Priority Opt-In, we will waive the ATP related setup fees completely.
  • MFA implementation is covered by our support plans as an administrative change.  If you do not have on of our support plans, we will provide an affordable, discounted quote for the project.
  • For customers without an unlimited support plan and/or those that choose to Opt-Out, we will discount our hourly fees for recovery work.

For more information on specific discounts and pricing, and to let us know if you want to Opt-In, to have Priority Opt-In, or to Opt-Out, please visit this web page and complete the form.

We realize that this is a significant change for most of our customers.  We also understand the importance of these protections.  Please contact us with questions or concerns

Thank you for being part of our community,
Allen Falcon
CEO & Pragmatic Evangelist

Cloud Management

Security Drives Need for Cloud Management

Cloud ManagementIn a recently published report, one of Forrester Research’s five key cloud predictions for 2020 is that cloud management providers will tackle cloud security.  With the Capital One breach, the first major breach in a public cloud, the industry has a new focus on security public cloud services. Small and midsize businesses (SMBs) are more likely to use public cloud services over specialty providers and private clouds. As such, SMBs need to focus on cloud management.

Effective cloud management can prevent holes in your security protections and save you money.

Cloud management, as a practice, formalizes access, licensing, usage, security, and spending for your cloud services. Instead of focusing on each cloud application or service independently, Cloud Management as a practice oversees and manages the big picture.

Seven key components of Cloud Management are:

  1. Document which cloud services are needed and used based on each person’s role within the organization
  2. Based on need, determine the level of access for each person/group based on their roles and responsibilities
  3. Understand and document subscription and licensing rules for each service, to ensure you can optimize subscriptions and spend
  4. Create standardized on-boarding work flows to ensure new employees and those changing roles are
    • Provided access to only the cloud services they need
    • Are assigned appropriate access to features, functionality, and data within each system
    • Access to data is consistent across cloud services
  5. Create standardized off-boarding work flows to ensure:
    • All cloud services accounts are deactivated, preventing orphan accounts from being left open
    • Data within each cloud service is archived or transferred to other user(s), preventing data loss
    • Cloud subscriptions/licenses are modified to prevent unnecessary costs
  6. Track licensing and subscriptions to:
    • Adjust your subscriptions to match your need, as allowed by each cloud service
    • Identify and remove unused licenses
    • Understand and manage your spending
  7. Actively search for, identify, and manage use of unauthorized cloud services to:
    • Minimize or eliminate “Shadow IT” risks with respect to security, data loss, and compliance
    • Identify and move users from duplicate services to authorized services
    • Provide training on authorized apps and services, preventing the need to use other services
    • Identify cloud services needed or wanted by staff, but not yet available through and authorized app or service

By applying the basic tenants of cloud management you can reduce your security risks, optimize your services and licensing, and better manage your spend.


Cumulus Global offers Cloud Management tools and services.  Contact us for a free, no obligation Cloud Advisor session to learn more.


 

Cyber Threat Series Overview

Protecting your network, systems, apps, data, and people is no easy task as the scope and variety of attacks continues to multiply.  You want and need to protection, but must make smart buying and decisions. Too little or too much means higher risk or unnecessary cost.

We see your business as a target not because we know cyber criminals have you in their sights, but because most cyber attacks throw a wide net and catch those who are unprepared. Appropriate measures to prevent, protect, and respond to cyber attacks has business value and should be part of your IT strategy and plans.

As a series of blog posts, this Cyber Threat Series intends to educate and inform. We will cover the types of risks and attacks and how to prevent them. We discuss solutions. We take a pragmatic approach that respects priorities and budgets.

Topics will include


Contact us to discuss your cyber threat protections. The Cloud Advisory session is complimentary and without obligation.


 

Dark Web Threat Alerts

When Your Identity is on the Dark Web

Dark Web Threat AlertsAs a courtesy to our existing clients and prospective clients, we have been running complementary Dark Web Summary Scans of their domains. These summary scans let us know how many email addresses from each domain currently appear on dark web and identity theft websites. We can then perform a more detailed scan and analysis to identify the specific user identities.

The results are fascinating.

Of 200 domains recently scanned:

  • 87.4% had at least one potential identity compromised
  • The average number of potentially compromised identities is 41%
  • 16% of the companies had more exposed identities than users, indicating breaches occurred from multiple sources

What does this mean?

Just because employee@yourcompany.com appears on a dark web or identity theft site does not mean that the user account on your system has been breached.

It does mean, however, that a breach is likely. And, the more exposed identities for your domain, the greater the risk.

How does it work?

Chances are, your employees are using their work email address, employee@yourcompany.com, as their login identity for other systems.  These other systems are often work related services like Uber, Dropbox, online banking, credit cards used for business expenses, etc. Studies show that about 80% of people use the same or substantially similar passwords across systems.

If there is a data leak or breach at one of these third party services, hackers will test the identity on other systems.  If you have an employee whose email and password were leaked in one of the Dropbox incidents, for example, cyber criminals will test that email address and password, along with similar passwords, across common services like G Suite, Office 365, Facebook, LinkedIn, Instagram, and others.

A compromised identity on a third party service can easily lead to a breach of your systems.

What to do:

  • Get the Details:
    Get a detailed scan on your domain to clearly identify which user identities are exposed and at risk.
  • Mitigate Your Risk:
    Work directly with identified staff to reset passwords. Run additional scans on their systems for malware.
  • Communicate:
    Educate, train, and guide users on the risk of identity breach and how to avoid becoming a victim. Provide guidance, coaching, and policies around the use of company email addresses on other systems and best practices for password selection and management.
  • Challenge:
    Periodically test your employees using “honeypot” and “sandbox” methods to determine who is following best practices and who remains susceptible to attack.
  • Monitor:
    Monitor your domain, and personal accounts of key executives, for future issues and respond accordingly.

Next Steps

Your best next step is to contact us (email or web) to

  1. Request a detailed Dark Web Scan
  2. Discuss security education and testing services
  3. Setup on-going monitoring for your domain

 

 

Quickbooks

The QuickBooks Hosting Challenge

QuickbooksQuickBooks is the leading accounting package for small business. And yet, many businesses cannot run QuickBooks Online, the Software-as-a-Service (SaaS) version. Whether the online versions lack industry-specific features you need, or you have integrated third party tools/add-ons, staying with an on-premise version of QuickBooks remains the best solution for your business.

As you move to the cloud, hosting your QuickBooks Pro, Premier, or Enterprise system makes sense. You keep the version of QuickBooks you need and improve accessibility, reliability, security, and resiliency from system failures and disasters.

In general, we find two levels of common QuickBooks hosting options. Looking at these services more closely, we find these services often fail to meet basic needs without expensive upgrades.  Fortunately, we have a third option designed to deliver the business value you need and want.

Basic

Basic QuickBooks hosting services run between $27 and $30 per user per month, with you purchasing and providing the QuickBooks license key. These services start with 1 GB of storage with fees for added storage that add-up quickly. Adding storage you need for reports, exports, etc., can easily increase the cost to the $75-$90 per user per month range. More importantly, your instance of QuickBooks is running on shared servers and on a shared network. As such, you have greater risk for performance issues, security breaches, and outages. In this type of multi-tenant environment, the actions of other can impact your business. These services offer backup, usually once per day with a fixed retention period of 7, 14, 30, or 90 days, depending on the service.

Better

The better QuickBooks hosting services cost between $49 and $60 per user per month, with you purchasing and providing the QuickBooks license key.  These services also start with 1 GB of storage with fees that add up when you need more space. Typical fees quickly creep up to the $95 to $120 per user per month range.  The main difference is that these services generally run your version of QuickBooks on a dedicated server, but still run on a shared network. While this does reduce the chance of interference from other tenants, this model still has your service running in the same security envelope as other companies. You still have a risk. Like the basic services, you have a once per day backup with a fixed retention period that varies with each service provider.

Best

The best solution for hosting QuickBooks will use your license of QuickBooks in the following environment:

  • Dedicated server
  • Private network
  • A usable amount of storage included (100 GB or more)
  • Flexible backup schedules and retention plans
  • Easy access from desktops, laptops, tablets, and smartphones
  • Access to Excel (MS Office) in the hosted environment

We this type of setup, you are more secure, will have better performance, and greater reliability.

The good news is that we can build you this type of environment at a cost comparable to other services, and we can integrate your QuickBooks environment with your Office 365 or G Suite service.


If you are interested in learning more about QuickBooks hosting options, please contact us for a free Cloud Advisor session.


 

Rules and Regulations

Rules, Regulations, and Results

Rules and RegulationsFor Small and Midsize Enterprises (SMEs), the regulatory landscape remains in a perpetual state of flux with changes originating at the Federal, state, and local levels. While some rules and regulations can severely impact your business’ operations, and profitability, many create requirements that you can easily satisfy at a nominal cost.

Three regulations with upcoming deadlines or increased enforcement include:

HIPAA

HIPAA compliance is a requirement for any organization that works with personal health information of individuals — not just medical offices and insurance firms. If you are sharing employee information about benefits, insurance coverage, medical leaves, or other items that involve personal health information (PHI), you have an obligation to protect the PHI. Failure to do so can result in heavy fines and, in a few instances, criminal charges.

Historically, HIPAA compliance has focused on medical practices, insurance, and brokers. We are starting to see audits of non-medical companies, along with fines for those not in compliance. 

Fortunately, you can protect PHI by focusing on the individuals that are authorized or likely to handle sensitive employee information.  By focusing on HR, payroll, and key executive and leadership roles, you can deploy services like message-level email encryption.

What to do:

  • For as little as $5 or $6 per user per month, you can ensure that specific individuals protect PHI and sensitive information while preventing accidental disclosure
  • Contact us for information about encryption, DLP, and other HIPAA solutions.

ELD

Starting December 18, 2017, all interstate trucks in the US must use an Electronic Logging Device (ELD) to track operations and required reporting.  According to the US Department of Transportation (USDOT), fewer than 1/3 of interstate trucks have installed ELDs as of mid-November. Failure to comply can result in heavy fines, impounding of vehicles, and disruption of delivery schedules.

While enforcement is not expected to impact small and midsize trucking firms until late spring or summer of next year, your business can still be at risk.

Here are a few things to note:

  • If you have your own truck(s), they may be classified or registered as Interstate Trucks, even if you only deliver within your state.
  • If you use third parties for shipping, their failure to comply can disrupt your deliveries if trucks are stopped or impounded, or if drivers are pulled off the road.

What to do:

  • Check your own vehicles:
    • Determine if they are properly registered as Interstate Trucks, or if they should be registered as such
    • If you do not have ELDs yet, please contact us for low cost, self-install ELDs with logging software subscriptions
  • Check with your shipper(s):
    • Confirm their trucks, those of their subcontractors, and any owner/operators are properly registered and have ELDs
    • If not, have them contact us for help

GDPR

Effective May 25, 2018, the European Union (EU) General Data Protection Regulation (GDPR) takes effect. While GDPR covers data protection and privacy for citizens of EU member states, treaties allow enforcement in action against US companies operating within the US.

If you have any personal data for citizens of EU member states, you are responsible for GDPR compliance.

GDPR means more than encrypting sensitive data.  GDPR includes processes and procedures for governance, including:

  • A named Data Protection Officer (DPO) responsible for oversight, compliance, and response to individual inquiries. The DPO role can be full time or part time, internal or contracted.
  • You must report suspected breaches within 72 hours of becoming aware of the issue.
  • You need to deploy privacy by design — any new system or change in systems requires primary consideration of privacy and information security.
  • You must be able to demonstrate that you mitigate risk, even in the absence of a privacy breach.

Fortunately for most SME’s the appropriate policy changes and the risk-mitigation technologies need not be expensive of complicated.

What to do:

  • Discuss GDPR with your team, and your legal counsel, to determine your required compliance
  • Provide training, education, and “cultural support” for a data privacy mindset within your organization
  • Review systems storing or processing personal information for security and privacy compliance
  • Select and deploy relevant data loss prevention (risk mitigation) solutions for your environment

Need help? Contact us for more information.


 

Google Drive

Team Drives Launches for G Suite Business, Enterprise, & Education

Google DriveMost file storage solutions weren’t built to handle the explosion of files that are now created and shared in the cloud — because they were initially designed for individuals, not teams. With this amount of shared data, admins need more controls to keep their data safe and teams need to feel confident working together. Team Drives deliver the security, structure and ease-of-use enterprises need by making it easy to:

  • Add new team members. You can manage team members individually or with Google Groups and give them instant access to relevant Team Drives.
  • Keep track of your files if a team member leaves. Team Drives are jointly owned by the team, which means that anything added to Team Drives stays there no matter who comes or goes. Whirlpool Corporation, for example, uses Team Drives to manage file access. Says Troy McKim, Collaboration Principle at Whirlpool Corporation, “If you place files for a project in Team Drives, you don’t have to worry about losing them or moving them when files are re-owned.”
  • Understand and manage sharing permissions. Team members automatically see the same files regardless of who adds or reorganizes them. You can also manage share permissions by defining the restrictions for editing, commenting, reorganizing or deleting files.
  • Manage and view Team Drives as an admin. Admins can see Team Drives for a user and add new members if necessary: “Team Drives also ease the speed at which a team member can onboard and become effective in their new role,” says McKim.

Team Drives are now generally available to all of our G Suite Business, Education, and Enterprise customers.