As today’s companies are increasingly tending to run their business on the basis of digital assets, information security has become an even more critical factor of the business model, as it protects the most essential asset: information.

We know that security is not a goal, but rather a process. As such, prevention and constant reinforcement of the outer edge of the corporate system are vital elements in the defense of assets in cyberspace.

But despite this, contingencies occur, and the risk of suffering a security breach must always be considered. So let’s look at what action we should take in the face of this type of scenario to overcome a situation in which the organization’s resources could be compromised.

Here 5 steps to take after a company is infected:

Step 1: Determine the scope of the infection

Time and time again, companies that have been victims of infections assess the traces of the impact just by using their intuition, rather than by means of an analytical examination of the problem. Clearly, after detecting an infection at the company, reaction speed is extremely important. However, hurrying to make groundless appraisals can divert your attention away from the right actions to take.

If the necessary precautions have been taken, and there has consequently been an investment into the development of robust contingency management systems, it is possible to quickly gather the bits of evidence you need to answer some of the first key questions.

In this way, to be begin with it is necessary to establish which systems have been compromised and in what way. Is the infection limited to a single piece of equipment or subnetwork? Has any sensitive data leaked out? Are we talking about corporate data, or private data relating to employees and/or customers?

Step 2: Ensure continuity of service

In the case of a leak of information which might compromise employees or end users, the second step would be to give them a warning of the possible breach and advise them to watch out for any unusual movements they might notice regarding the data they have stored under your service.

If any physical equipment has been seriously compromised, you must set in motion any processes to activate backup resources, in order to maintain customer service. For this reason, it is critically important to plan your defense against attacks on availability, creating redundancy of equipment and connections. This, together with an action plan suitably defined at the level of the organization, will enable a rapid response to any events that lay siege to corporate security.

Step 3: Contain the infection

The containment of an infection begins with isolation of the equipment that you know has been compromised. Shutting down the segments of the network that include this equipment prevents the infection from continuing to spread throughout the corporate network, and interrupts any connection that may have been established with the attacker for the purpose of stealing information.

If the traffic generated by the malicious agent turns out to be encrypted, the analysts must try reverse-engineering it to obtain the cryptographic keys. However, if communication is taking place on non-confidential protocols like HTTP, it will be exponentially easier to track the commands used by the attacker.

Either way, studying these commands can lead the investigation to the discovery of new infected equipment, and the generation of traffic patterns should be translated into firewall rules, to quickly generate a first line of defense.

To achieve this, it is necessary to have correctly labeled traffic captures in order to speed up processing. Once again, it’s self-evident that proactive prevention and detection of threats are the cornerstone of information security and define a company’s capacity to respond in times of crisis.

Given that most of the procedures mentioned involve non-automated analysis of information, it is crucial to put in place a comprehensive corporate security solution in advance. This will make it possible to instantly deploy actions to block any harm that a malicious agent might attempt to inflict after penetrating your defenses.

The latest generation of ESET corporate solutions was developed to be a key factor in the containment process, thereby preventing the spread of infectious components through the company’s different transaction systems.

Step 4: Mitigate the infection and eliminate the line of attack

Removal of the malicious part is a complex procedure which initially involves a detailed analysis of the code in order to understand how it works. Antivirus solutions support this type of activity by enabling automatic disinfection and saving valuable time in the process of responding.

It is essential to understand that if the attackers are not completely eradicated from the network, they can resume their fraudulent activity on the infected equipment through another line of attack. Because of this, it is of vital importance to isolate the flaw that allowed them to enter in the first place, and then remove it from the system.

Even after equipment identified as compromised has been cleaned, there remains a risk that other undiscovered infected equipment is still in operation. To prevent this from occurring, we need to reinforce the analysis of the packets transmitted by the network, as we now have the advantage of knowing the communication protocols and commands used thanks to the previous analysis of the infection.

Together with a review of the firewall rules, changing the passwords on corporate networks is another preventive measure to take after detecting compromised resources, as this is one of the favored goals in corporate attacks. While the process of updating keys may take time and effort, it will prevent the attackers from using any stolen information to disguise themselves as a legitimate user.

At this point, it is worth establishing whether the infection was the simple result of carelessness online, or whether it constitutes a successful link in a chain of persistent targeted attacks.

If it is established that the infection was specifically targeting the organization, the real question to answer will be who lies behind these events, bearing in mind that another attack could be imminent.

Step 5: Learn from any errors

Carrying out an in-depth investigation into what happened will give cause for improving the processes within the organization. The removal of any vulnerabilities whose existence was previously unknown provides an opportunity to reinforce the perimeter of the corporate networks by identifying any other potential points of access to the system that had not previously been considered as falling within the scope of lines of attack.

Infections are always absolutely negative events for a company; however, they offer opportunities to learn. They show which elements of the system’s design need to be strengthened and they allow you to discover the flaws in the current defense measures.

Published with consideration from ESET. SOURCE

Every time a stolen laptop leads to a data breach, you wonder why the business involved hadn’t set up any safeguards. When the unencrypted laptop was stolen from a former physician at the University of Oklahoma, for instance, or when a laptop was stolen from insurance provider Oregon Health Co-op containing data on 15,000 members.

You’d think money would motivate them, if nothing else. In November, EMC and Hartford Hospital were ordered to pay US$90,000 to the state of Connecticut over the theft of an unencrypted laptop in 2012 containing data on nearly 9,000 people. The laptop was stolen from an EMC employee’s home.

The problem extends far beyond the healthcare industry, too—such as the laptop stolen from SterlingBackCheck, a New York-based background screening service. The laptop contained data on 100,000 people.

These types of breaches don’t quite grab the same headlines as major cybercrimes and hacking incidents, if only because a thousand employees affected by a laptop theft is less dramatic than 40 million customers at Target. But it’s a lot easier to steal a laptop than it is to hack into a corporate database, so the theft and loss of laptops, as well as desktops and flash drives, highlight the need for enhanced physical security and employee training.

It’s easier to steal a laptop than to hack a database

The organizations mentioned here have wised up. A spokesperson for the University of Oklahoma said it has launched an encryption program and new training for employees when it comes to handling sensitive data.

SterlingBackCheck said it has updated its encryption and audit procedures, revised its equipment custody protocols, retrained employees on privacy and data security, and installed remote-wipe software on portable devices.

Another threat to your data is the proliferation of Bring You Own Device (BYOD) policies and mobile workers.Gartner anticipates that half of all companies will have some need for a BYOD policy by 2017. Workers will be using their own devices as well as company-issued ones in the office or on the go. This opens up a new risk if devices are lost or stolen.

Security firms like Sophos urge companies to put a robust policy in place for the handling of professional devices, including full disk encryption as well as encrypted cloud and removable media. A strong password is highly recommended too, but it’s not enough on its own.

A greater sense of urgency wouldn’t hurt, either. In Oklahoma, the physician had actually left his position at the university before his personal laptop went missing. He couldn’t say for sure whether it contained sensitive data, but by the time that possibility arose, it was too late.

In another incident, at manufacturer Tremco, an employee lost a company-issued laptop on a plane. It was several weeks before the employee realized that it contained spreadsheets of personal employee data.

Encryption, remote wiping, better data tracking

Companies need to know where their data is at all times—not just what device it is on, but where that device is located physically.

This highlights the need for remote wiping tools, which SterlingBackCheck has put in place. If a laptop is lost or stolen, the company should have an easy way to remotely wipe the sensitive data to ensure it never leaks.

Much like large-scale hacking attacks, it’s the consumer or the patient that really suffers when a data breach occurs. The onus lies with the company to handle this data responsibly, whether it’s in the cloud or on a laptop on the bus.

Published with consideration from PCWorld. SOURCE

Adapt to Survive: Keeping One Step Ahead of Cyber Threats

There have been numerous high profile cyber-attacks in recent years, of privacy companies and government agencies. In May 2014, eBay was hacked and had to announce that personal details of 233 million of its users had been stolen. In November of the same year Sony suffered a similar fate when 102 million of its user accounts were compromised, and several emails were leaked from its high ranking Hollywood executives. Earlier this year, it was discovered that the United States Office of Personal Management suffered from two large-scale hacks, resulting in the theft of millions of employee personal files.

Against this backdrop of ever increasing cyber threats—and when you consider how much sensitive data is held by law firms—you realize how vital it is for the legal industry to keep data secure. Especially when the outcome of a legal case and the reputation of the legal firm concerned rests on it.

Security Audit

For each individual case a busy law firm will usually be privy to large numbers of physical documents, they will hold considerable amounts of electronic data, and there will be vast numbers of exchanges between clients that may contain sensitive information. Therefore, there are considerable potential vulnerabilities and the first step is to have all the risks professionally assessed by a cyber-threat specialist. Once you know where the gaps lie in your security, you can take steps to address them. A good way to do this, especially after an audit, is to create an Information Security Policy that lays out guidelines for your staff to ensure data is kept secure.

Some high profile clients may wish to audit your firm from a security point of view before they appoint you. This is particularly true of those industries which are heavily regulated, such as health insurance, and payment card processing companies. If you have already carried out your own internal audit, then this eventuality shouldn’t be such a daunting experience.

Keeping Documents Safe

It is imperative that the records a legal firm holds are kept safe to protect their clients’ reputations as well as the fact that any breach could result in damage to ongoing lawsuits. The best option is to employ the services of a secure document management company that can protect your data whilst giving you the flexibility to access it whenever needed, an important point given the day to day practicalities of life in a law firm. These providers will be subject to their own auditing and will use high levels of both physical and data security to protect your assets. They can also store both hard copy documents and data.

Firewall and Anti-Virus Software

Your internal network and website should have a firewall as the first line of defense. Anti-virus software is also important to protect you from malware. In one recent cyber case involving a legal firm, they were subject to spear phishing. This is when an email is opened which seems to come from a trusted source that the firm recognizes. The email then installs malware which sits in the background gathering sensitive data for the hacker.

Anti-virus software needs to be updated regularly and all systems should be scanned on an ongoing basis. These updates and scans should be set to run automatically by your IT department, to avoid human error.

Encryption and Off-Site Servers

The ideal solution for a legal firm is to have all their data held off-site in a high security data center. Furthermore all data held should be encrypted and all communications, including email, should also take place through encrypted connections. Encryption is important as then even if your data center is hacked your information should still remain secure.

Even if your law firm is relatively small, you aren’t immune to hacking. The FBI recently warned that even small and medium sized firms are now coming under attack. A law firm’s reputation is paramount. Clients expect their data to always remain confidential and the success of a case may rest on this fact. With the stakes so high are you willing to risk your reputation and a subsequent loss of business when some key steps taken now can do a great deal to protect you? Are you concerned your business’s security isn’t up to par? Need the guidance of a seasoned IT provider who specializes in security? Talk to us today.

Published with consideration from Law Technology.SOURCE

The report found the most popular phishing attack templates with the highest click rates are items employees expected to see in their work email.
Phishing attacks continue to grow in volume and complexity, supported by more aggressive social engineering practices that make phishing more difficult to prevent, according to a report from Wombat Security Technologies.

Organizations surveyed indicated they have suffered malware infections (42 percent), compromised accounts (22 percent), and loss of data (4 percent), as a direct result of successful phishing attacks.

Survey respondents said they protect themselves from phishing using a variety of methods, including email spam filters (99 percent), outbound proxy protection (56 percent), advanced malware analysis (50 percent), and URL wrapping (24 percent).

“The lack of measurement by security professionals concerned us the most,” Trevor Hawthorn, chief technology officer of Wombat, told eWEEK.
He pointed out that 37 percent of respondents did not measure their susceptibility to phishing, and a staggering 56 percent do not assess end user risk.

“Without assessing to understand security problems, you cannot create an effective plan to combat them,” he explained. “There are multiple ways that security officers can measure risk – through pulling numbers on items like policy violations, malware infections, reported and identified phishing attacks, or they can do a knowledge assessment or simulated phishing attack that will not only help them understand risk, but set a baseline to measure improvement against.”

The report found that the most popular phishing attack templates with the highest click rates included items employees expected to see in their work email such as an HR document, or a shipping confirmation.

“Email is a part of virtually everyone’s life. We get large volumes every day, and we have more and more details about our lives online on places like social media that allow criminals to create more targeted messages to get us to click,” Hawthorn said. “Organizations can be sure that they are continuously training their employees on what phishing messages look like and how to avoid them.”

Wombat found the following plugins as most vulnerable for being outdated and susceptible to an attack: Adobe (61 percent), Adobe Flash (46 percent), Microsoft Silverlight (27 percent), and Java (25 percent).

“Threats will continue to do what works until it doesn’t,” Hawthorn said. “Then they will adjust and exploit the next easiest path. Right now end users are still the easiest path. Why? Because the security industry has matured when it comes to managing risk of technical assets. We need to manage end user risk the same way we manage technical risk. Perform on-going, targeted assessments, and gather real-time user behavior data to determine a user’s risk level.”

For additional tips on how to resolve to be better about cyber security in 2016, reach out to GCInfotech to assess your current network security and any potential vulnerabilities.

Cyber attacks are a real concern for businesses today, but it’s important to be able to separate myth from reality. Education is key to protecting your business against an attack and keeping your business and customer data safe.

Curious to learn about other common malware that can cause trouble for business owners? Want to upgrade your existing network security system? Give us a call today, we’re sure we can help.

Published with consideration from eWeek. SOURCE

Most business owners have an employee handbook. But when it comes to the online security of their business, often times this portion is either not adequately addressed, or not addressed at all. However, with cyber crimes an ever increasing threat, and the fact that employee error is one of the most common causes of a security breach, it is incredibly vital that your staff is informed of your policies. Here are four policies that every business owner should share with their employees.

Internet

In today’s business world, employees spend a lot of time on the Internet. To ensure they’re not putting your business at risk, you need a clear set of web policies. Here are three important ones to keep in mind:

  1. Employees should be using the Internet for business purposes only. While this is undoubtedly hard to avoid without blocking specific websites, having a policy in place should at least cut back on employees spending time on non-business related sites.
  2. Prohibit unauthorized downloads. This includes everything from music to games, and even data or applications.
  3. Accessing personal email should not be done on business devices. If employees must access their own email account during the day, they can do so on their smartphone or other personal device.

These are just a few Internet policies to get started, but you should also consider including information on your recommended browsing practices and your policies for using business devices (such as company phones) on public wifi.

Email

Just like with the Internet policy mentioned above, company email accounts should only be utilized for business use. That means your employees should never use it to send personal files, forward links or perform any type of business-related activities outside of their specific job role. Additionally, consider implementing a standard email signature for all employees. This not only creates brand cohesion on all outgoing emails, but also makes it easy to identify messages from other employees, and hence helps prevents spear phishing.

Passwords

We’ve all heard the importance of a strong password time and time again. And this same principle should also apply to your employees. The reason is rather simple. Many employees will create the easiest to crack passwords for their business accounts. After all, if your organization gets hacked, it’s not their money or business at stake. So to encourage employees to create strong passwords, your policy should instruct them to include special characters, uppercase and lowercase letters, and numbers in their passwords.

Data

Whether or not you allow your employees to conduct work on their own device, such as a smartphone or tablet, it is important to have a bring your own device (BYOD) policy. If your employees aren’t aware of your stance on BYOD, some are sure to assume they can conduct work related tasks on their personal laptop or tablet. So have a BYOD policy and put it in the employee handbook. In addition to this, make sure to explain that data on any workstation is business property. That means employees aren’t allowed to remove or copy it without your authorization.

We hope these four policies have shed some light on best security practices. If you’d like more tips or are interested in a security audit of your business, do get in touch.

Published with consideration from TechAdvisory.SOURCE

Ways to Repel Ransomware


Let’s put aside for a moment the mega data breaches that resulted in millions of confidential customer records going out the door. If 2015 is to be remembered for one thing in the world of cybersecurity, it might be the year ransomware hit the big time.

Ransomware is “kidnapping” malware that has been plaguing home users and businesses for many years, but which has significantly spiked over the past 24 to 36 months to become a hugely profitable racket for cybercriminals – and a source of great tension for IT and security professionals. The threat initially gained notoriety for its maddening ability to freeze individual keyboards and computers – usually with bogus statements from the FBI concerning child pornography – but in recent years it has evolved to encrypt sensitive data files, with the attackers the only ones holding the private keys to unlock them. The most recent strains of ransomware are going even one step further: They are being bundled with password stealers that are used to exploit weak website security.

The fraudsters won’t release the key, of course, until you make a payment, usually requested in bitcoins. The going-rate is around $500, but the shakedown can stretch into the several thousands of dollars for victims – never mind the costs associated with downtime and recovery, as well as potential legal and customer-related costs. Because the attack is so crippling, many businesses end up deciding to pay the ransom – an outcome that even the FBI hasn’t encouraged against. The most common ransomware family is CryptoWall, which the Internet Crime Complaint Center in the United States estimates was responsible for nearly 1,000 complaints between April 2014 and June 2015, with those victims reporting some $18 million in losses. TeslaCrypt and CBT Locker are two other families that are popular. Reveton and Chimera are still around, but somewhat outdated.

Purveyors of ransomware typically stop short of exfiltrating compromised data as we’ve become accustomed to with traditional data breaches. Instead, they aspire for a quick hit and an even quicker reward. Once compensated, they usually live up to their end of the bargain and release the data from their control – If they didn’t, nobody would ever pay the ransom – although that’s no guarantee they’ve abandoned their foothold in the target environment.

Ask any security expert why ransomware has become so popular and they’ll give you roughly the same answer: It’s not a complicated scam requiring different players handling specific tasks (as you might find in a credit card breach operation). It often results in quick cash – Trustwave researchers estimated the return on investment for ransomware attackers is a whopping 1,425 percent – and most of all, it works. The threat is often difficult to detect and even harder to remove once it has infiltrated a target, which, by the way, doesn’t just include PCs, but also mobile devices (where the threat is growing fast),Linux-based systems and even medical devices.

What steps can you take to rebuff a ransomware attack? Try these seven recommendation

1. Back up Your Data

This allows you to quickly recover from an incident. Be sure to regularly replicate file changes in your production environment, so your fallback point is an acceptable amount of time for your organization in case of an attack.

2. Disconnect from the Internet

At the first sign of a malware infection, detach the compromised machine from the network, cutting off the attacker’s control of it. However, take note that this will not stop the encryption process if it’s already been initiated by the ransomware.

3. Run Anti-Malware

It’s not enough to simply have anti-virus running on your desktops. You also need live anti-malware capabilities that can conduct real-time code analysis and dynamic URL categorization.

4. Spread Security Awareness

Ransomware scams tend to begin like most malware infections – with an end-user clicking or opening something malicious. Preach the importance of social engineering defense.

5. Deploy Advanced Email Security

To complement awareness with technology, you should adopt an email security gateway that incorporates threat intelligence to effectively thwart emails that contain malicious URLs.

6. Patch Your Software and Systems

Malware often requires an unpatched vulnerability to run, so ensure that your entire environment is updated with the latest security fixes. Vulnerability scans and security testing help businesses identify their network-connected assets and learn how those assets are vulnerable to attack.

7. Report the Event

If you’re a victim of a ransomware attack, you need to kick in incident response, which should include contacting the authorities and/or filing a complaint with IC3.

Published with consideration from Trustwave. SOURCE

Potential IT security issues in 2016 – As a small or medium-sized business owner or manager, it’s only to be expected that you want to keep your company safe from cyber attacks and hacking attempts. But how much do you really know about online safety? With massive corporations such as Sony falling victim to attack, cyber security has never been more in the public eye. And that makes it the ideal time to learn just what it is you need to be doing to keep your business secure in 2016.

If you think that only big corporations and prominent organizations are targeted by cyber criminals, you are making a deadly mistake. It might be tempting to sweep cyber crime under the carpet and assume that you are flying below the average hacker’s radar, but that simply isn’t true. In fact, it’s the polar opposite, since smaller enterprises are actually far more likely to be at risk than larger ones, owing to their typically less sturdy security postures.

So where does that leave you as a small or medium-sized business owner or manager? Does it mean you need to be taking your cyber security even more seriously? You can bet your bottom dollar it does, as industry experts predict that 2016 is only going to become more of a minefield when it comes to online crime.

The headline trend that IT security professionals pinpointed this year was that no longer were criminals hacking into websites purely to bolster their bank accounts. 2015 has seen the emergence of another strain of hackers, launching cyber attacks as part of a moral crusade. These people are not purely after money although in some cases this may also be a contributing factor – instead, their claimed motivation is revenge, or righting what they perceive as wrong. It is this diversification in the hacking community that has led security watchers to predict that, as we enter 2016, we are likely to see some different behavior from hackers.
Among the unpleasant predictions being made, a number of experts agree that hacks of a destructive nature will be on the rise. The fact that hackers are using attacks for retribution rather than simple monetary gain means that a wider cross-section of organizations may well find themselves being preyed upon, all the way from government agencies – traditionally ignored by hackers – to online retailers and other commercial websites.

Remember when Snapchat got hacked back in October 2014, and the hackers threatened to make public as many as 200,000 photos? Well, the bad news is that apps are going to continue to be targeted. In particular, those mobile apps that request access to your list of contacts, emails and messages can, in the wrong hands, be used to create the kind of portal that enables a cyber criminal to steal data or gain access to a company’s entire network. All this means that in 2016, hackers could be taking advantage of apps to do more than just steal your social media photos – they might have in mind the takedown of your entire company.

As a local business owner, social engineering – a means of tricking an individual into disclosing revealing or personal information about themselves or their company – is something you definitely need to be concerned about. You might pride yourself on being too savvy to fall for a cyber criminal’s tricks, but what about your employees? Can you be sure that each and every one of them exhibits the same amount of self control, cynicism, and wariness that you do? Not only that but, as we enter a new era of online threats, the criminals that use social engineering are growing in confidence and creativity. Dodgy emails from a bizarrely named sender containing a link to an unheard-of website are yesterday’s news. Modern social engineering is highly evolved and extremely cunning, and has the potential to convince even the most streetwise internet user.

How confident are you that your entire team of employees would be completely infallible in the face of a stealth attack from a seemingly innocent source? Could you trust them to restrain from divulging not only their personal details but also information pertaining to your company? Multiply the number of employees in your company by the number of phone apps they potentially use, and add to that the fact that any one of them could at any time be targeted by a social engineering scam, and the end result is a less-than-perfect security posture.

The sad fact is that there are people who want to do you harm – regardless of whether you hold confidential information about celebrity salaries, or are privy to a database full of cheating spouses. People, no matter how well meaning or vigilant, are the weakest link in any security chain, which means that ensuring your business’s safety necessitates educating your staff and ensuring that your network is impenetrable.

Professional training and a vulnerability assessment are two great places to start, so why not get in touch with us? We’ll make sure your business is as hack-proof as it can be.

Should members of the U.S military who click on phishing emails be court-martialed? Admiral Michael Rogers thinks so. As director of the National Security Agency, he’s dealing with a hack of the Pentagon’s Joint Staff network that was enabled by four people who fell for phishing emails.

“When I looked at the email, I said: ‘Why would you have opened this? It makes no sense,’” Adm. Rogers recently told The Wall Street Journal. “And the answer I got was: ‘It was early in the morning. It was a Monday. I’m just blowing through my emails.’

“If someone had said to me: ‘Hey, it’s lonely on post. It’s the middle of the night out in the middle of nowhere. I just pulled my gun out because I wanted to quick draw,’ we would never accept that. So why are we willing to accept this kind of behavior in the cyber world?”

That blunt assessment should be food for thought for any organization that uses email – in other words, everyone. Email’s ubiquity enables hackers to cast a wide net and as the Pentagon example shows, the amount most workers receive increases the chances that phishing and other attack methods will succeed.

Rethinking email security

But there’s another key aspect that many CIOs, CSOs and IT managers overlook: email is a gold mine of information that facilitates a wide variety of subsequent attacks. For example, a new employee might use email to provide HR with her dependents’ names and Social Security numbers. That information enables identity theft. Less obvious is how it also opens back doors to personal and professional data if she uses those names as passwords or as responses to security challenges. The risks multiply even further if HR sends her links to set up employer-related accounts, such as everything from health insurance to the corporate LAN.

It gets worse: most people don’t delete messages once they’ve sent them, which means the confidential personal and professional information they contain is there for the taking for any hacker who manages to get in. This confidential information in email could linger for months, years or forever, depending on whether her employer’s IT policies automatically purge messages after a certain time (if they purge at all). She’ll also probably archive HR’s messages so she has those links and other information handy, which means more valuable data for hackers.

If that sounds scary, it is. But practically every week, there’s a headline about a high-profile email hack, which shows that too many enterprises, government agencies and other organizations are growing complacent or simply desensitized. That increases the likelihood that they’ll eventually make headlines, too – or even have a law nicknamed after their organization because the breach was too big and too embarrassing for Congress to ignore.

Hyperbole? Imagine a hack of thousands or millions of patient accounts that was enabled because a single internal email contained that database’s login information. Actually, you don’t have to imagine it because it’s happened so many times. One example is the University of California Davis Health System, where a single physician’s email account stored 1,326 patients’ information. They’re now among the roughly 39 million patients nationwide whose health information has been hacked so far, according to the Department of Health and Human Services.

How to Fight Back

The good news is there’s no shortage of proven technologies and best practices for securing email and, in turn, all of the databases, networks, accounts and other things that those messages touch. These technologies and practices are applicable and effective in nearly every vertical, and in many cases, they’re becoming must-haves to ensure compliance with laws such as HIPAA and SEC regulations.

Encryption should be at the top of the list. It’s ironic: organizations typically back up their email servers because they recognize that the information they contain is so important to their operations, yet they frequently don’t go a step further to encrypt that valuable data.

Ideally that encryption should be applied end to end: when messages are in transit and when at rest on servers and devices such as desktops and laptops. Don’t overlook tablets and smartphones, which are the preferred, or sometimes only, devices that employees use for email. In fact, the proliferation of mobile devices in the workplace exponentially increases the need for technologies such as encryption. One reason is because unlike desktops, tablets and smartphones are portable and thus easily lost or stolen. On-device encryption secures the messages they store.

Organizations also should look for mobile device management (MDM) platforms that can remotely lock and erase lost and stolen phones and tablets, as well as enforce security policies. For example, when employees open an email attachment on their mobile device, that document often is then stored in RAM. An MDM platform could be used to enforce a policy that prevents email attachments from being stored on the smartphone or tablet so they can’t be accessed by someone who finds or steals the device.

By minimizing the chances that email and other systems will be breached, an MDM platform can save organizations a significant amount of money, such as legal fees, compensation for affected customers and marketing to restore a sullied brand (or even to maintain brand status quo). Industry- and country-specific regulations can further increase an MDM platform’s ROI when it’s used to enable compliance. Two examples are financial services firms and health care providers that use MDM platforms to securely archive messages such as trade orders and prescriptions.

No one wants someone else peering into their email. But without security, privacy cannot exist. By securing their email, organizations can provide the privacy that they and their employees want – and that hackers hate. Are you concerned your business’s security isn’t up to par? Need the guidance of a seasoned IT provider who specializes in security? Talk to us today.

Published with permission from ITProPortal. SOURCE

While small businesses lack the big budgets of their enterprise counterparts, that doesn’t make security any less of an issue for SMBs. In fact, small and medium businesses are more and more often the target of cyber criminals precisely because they generally have fewer security measures in place. So to ensure your business has enough security to stay protected, here are a number of rules every SMB should follow to keep themselves secure.

Security rules for SMBs to follow

Recognize where your most critical data lies

Is it in the cloud? Hard drives? Backup disks? Mobile devices? Whether or not you have the budget and resources to adequately secure all of your data, the critical data that your business relies on must be sufficiently secure. If you’re unsure of what that is, ask yourself which data you would need to access within 24 hours of your business suffering a major disaster, in order to ensure your operations remained up and running. Once you’ve answered this question, talk with your IT managers to determine the security measures that need to be implemented to protect your most vital data.

Learn the basics

After you’ve bulletproofed your critical data, it’s time to arm your network with the basics. If you haven’t already done so, ensure that you have anti-malware protection on servers and endpoints, and firewalls for both wireless and wired access points.
If you have the budget, it’s worth seeking outside counsel from an IT expert fluent in today’s security best practices. They’ll ensure your business is protected from the latest cyber threats. However, if you don’t have the budget, then it’s time to take matters into your own hands. Read up on security trends, join technology networking groups, and ask your fellow business owners about their own IT security policies.

Cash a reality check

Bad things happen to nice people. Tornadoes, fires, thieves, and faulty technology couldn’t care less about how your business donates to local charities and supports your community’s youth sports clubs. What’s more, hundreds of small businesses across the country suffer severe data loss each year. Ignorance and turning a blind eye will not protect you, so make a wise decision and automate your data to be backed up daily. This allows your business to remain in operation if you’re hit by a security breach.

Dispose of old technology properly

Whether it’s a computer, server or tablet, any device that stores data on it must be properly disposed of when it conks out. Specifically, the hard disk must be destroyed completely. And remember, proper data disposal is not only limited to technology, as critical information is also revealed on paper files. So if you’re migrating the content of physical documents to the cloud, make sure to shred the paper versions too.

Mind your mobiles

The mobile age is here, and along with it come employees who may access your business’s critical information via their smartphones, tablets and other mobile devices. Recognize that many of these devices have different operating systems that require varying security measures. You and your IT manager should be aware of this, which leads to our last point…

Think policy

Have a policy for all your company’s devices. If you don’t inform your employees they shouldn’t access company information via their phones or tablets, then they’ll likely assume it’s okay to do so. But thinking policy doesn’t pertain only to mobiles. You should also determine acceptable online behavior for your employees, as well as how data should be shared and restricted. Put this in writing, and then have your employees read and sign it.
Of course, it’s not always wise to be overly restrictive. Rather the point is to have policies in place and make everyone in your organization aware of them because if you don’t each staff member will make up their own rules.

Are you concerned your business’s security isn’t up to par? Need the guidance of a seasoned IT provider who specializes in security? Talk to us today.

Published with permission from TechAdvisory.org. SOURCE

The risks of using passwords – GC Infotech

We all use passwords to access and protect sensitive online data—whether it’s logging onto the network at work, shopping for goods on the web, or accessing personal email. Passwords are a basic function of the way we work, live, and socialize; yet as anyone who has had an account hacked can tell you, password protection is far from perfect.

With personal data playing an ever-larger role in the way we do business, current password functionality is in need of an overhaul. If you’re looking for a better way to secure your personal and professional data, here’s what you need to know.

The problem with hashing

In theory, passwords should work: if someone doesn’t know your password, they shouldn’t be able to log into a site or an account as you. Unfortunately, outdated storage methods and a lack of universal best practices have made it increasingly easy for hackers to get their hands on your passwords—and your data.

Each time you register a password with a website or service, that organization needs to store your password somewhere in order to authenticate your identity later. Some organizations store your password as plain text, which leaves you and your data extremely vulnerable if the sites’ password lists are accessed by unauthorized users or hackers. Security-minded sites take pains to create a protected version of your password known as a “hash,” dicing up your password into small pieces and rearranging the pieces so that they no longer resemble the original. In this case, when you re-enter your password, it goes through a hashing function where the result is compared to the stored hash for verification.

The thought behind password hashing is that if hackers manage to breach a website or online service, they won’t be able to steal users’ intact passwords. Instead, the hackers will be left with difficult-to-crack hashes that are either unusable or take a very long time to reverse engineer into passwords. However, with the rise of powerful, off-the-shelf components such as modern graphics cards and lists of pre-generated hashes for short passwords, hackers can easily reverse engineer passwords.

A modern high-end graphics card, for example, can easily perform more than 600 million SHA256 hash operations per second. A few of these relatively inexpensive cards arranged in an array can try every possible eight character password in about seven days. While that’s impressive enough already, attackers have far more advanced ways to crack hashes, and with the right tools they can crack hundreds of passwords per hour.

“Online sites are aware of these issues,” explains Jim Waldron, Senior Architect for Platform Security at HP, “and so some of them have increased the security by adding secret questions and answers like: ‘What is your mother’s maiden name?’ Unfortunately, much of this ‘private’ information can be legally purchased from online data aggregators.” In other words, even users’ private personal information is no barrier to a determined hacker.

The problem with best practices

To make the situation worse, once a hacker obtains a user’s password, they can use this information to try and access the rest of the user’s online accounts—such as their email or bank accounts. The reason for this is that most consumers—and businesses—skirt password best practices.
A secure password should adhere to three basic rules:

  • It should be long — at least 16 characters1
  • It should be complex — containing uppercase letters, lowercase letters, numbers, symbols, and spaces
  • It should be unique — i.e. you only use it once

You’re probably familiar with at least a few of these rules. Many password systems require users to create passwords of a certain length and complexity, but the resulting passwords are hard to remember and many users recycle the same password multiple times. In fact, 54% of consumers use five or fewer passwords across their entire online life, while 22% use three or fewer.2

So what’s next for passwords?

With all these issues, combined with an increasing number of high-profile online data breaches, the public is losing faith in passwords. Nearly 70% of consumers report lacking a high degree of confidence that their passwords can adequately protect their online accounts—and they’re calling on online organizations to add another layer of security to the process.2

“At a very high level,” says Waldron, “what we need are new, more secure methods for users to identify themselves to online services—methods that are also easy for users to perform.” While broad changes will take time and a large joint effort, there are some immediate actions businesses can take to improve their own authentication methods.

Passwords are still an important security feature, despite their many problems. Check the strength of your passwords—make sure they are long, complicated, and never repeat. You probably already have access to a Password Manager which can store your unique passwords for you. This is an efficient way to eliminate the headaches normally associated with remembering complicated passwords across multiple sites. You can also try to institute several layers of authentication at once—such as a fingerprint reader plus a password, or an iris scanner plus a smartcard reader. This is known as multi-factor authentication and is much more secure than any one method alone.

The absolute best way a business can ensure that their systems and networks are secure is to work with an IT partner like us. Our managed services can help ensure that you have proper security measures in place and the systems are set up and managed properly. Tech peace of mind means your focus can be on creating a successful company instead. Contact us today to learn more.

[1] CNET, The guide to password security (and why you should care)
[2] Telesign, Telesign Consumer Account Security Report

Published with permission from Hewlett Packard. SOURCE