Why SMBs Must Proactively Address the Threat of Mobile Hacks

/in , /by

70More cyber criminals are targeting small-to-medium sized businesses. One reason for this is too many workplaces have insufficient bring-your-own-device (BYOD) policies in place. Some have none at all. Although firms are generally more knowledgeable about network security risks than in years past, they still woefully underestimate the security vulnerabilities linked to mobile devices like smartphones and tablets.

This is a real cause for concern since data breaches have the ability to put many already financially challenged SMBs out of business.

If customer/client data has been breached, there could be potential litigation costs, and naturally, lost goodwill and an irreparable hit to brand or company reputation.

Don’t Just Say You’re Worried About the Bad Guys… Deal With Them

SMBs say they view network security as a major priority but their inaction when it comes to mobile devices paints a different picture. An April 2013 study found that only 16% of SMBs have a mobility policy in place.

Despite the fact that stolen devices are a major problem in today’s mobile workforce, only 37% of mobility policies enforced today have a clear protocol outlined for lost devices. Even more troubling is the fact that those firms who have implemented mobility policies have initiated plans with some very obvious flaws.

Key components of a mobility policy such as personal device use, public Wi-Fi accessibility, and data transmission and storage are often omitted from many policies.

Thankfully, most SMB cybercrimes can be avoided with a comprehensive mobility policy and the help of mobile endpoint mobile device management services.

A Mobility Policy Is All About Acceptable/Unacceptable Behaviors

Your initial mobility policy doesn’t have to be all encompassing. There should be room for modifications, as things will evolve over time. Start small by laying some basic usage ground rules, defining acceptable devices and protocols for setting passwords for devices and downloading third-party apps. Define what data belongs to the company and how it’s to be edited, saved, and shared. Be sure to enforce these policies and detail the repercussions for abuse.

Features of Mobile Device Management Services

MDM services are available at an affordable cost. These services help IT managers identify and monitor the mobile devices accessing their network. This centralized management makes it easier to get each device configured for business access to securely share and update documents and content. MDM services proactively secure mobile devices by:

  • Specifying password policy and enforcing encryption settings
  • Detecting and restricting tampered devices
  • Remotely locating, locking, and wiping out lost or stolen devices
  • Removing corporate data from any system while leaving personal data intact
  • Enabling real time diagnosis/resolution of device, user, or app issues

It’s important to realize that no one is immune to cybercrime. The ability to identify and combat imminent threats is critical and SMBs must be proactive in implementing solid practices that accomplish just that.

CLICK HERE for a free technology assessment.

Just Because You’re Not a Big Target, Doesn’t Mean You’re Safe

/in , , , /by

69Not too long ago, the New York Times’ website experienced a well-publicized attack, which raises the question – how can this happen to such a world-renowned corporation? If this can happen to the New York Times, what does this bode for the security of a small company’s website? What’s to stop someone from sending visitors of your site to an adult site or something equally offensive?

The short answer to that question is nothing. In the New York Times’ attack, the attackers changed the newspapers’ Domain Name System (DNS) records to send visitors to a Syrian website. The same type of thing can very well happen to your business website. For a clearer perspective, let’s get into the specifics of the attack and explain what DNS is.

The perpetrators of the New York Times’ attack targeted the site’s Internet DNS records. To better understand this, know that computers communicate in numbers, whereas we speak in letters. In order for us to have an easy-to-remember destination like nytimes.com, the IP address must be converted to that particular URL through DNS.

Therefore, no matter how big or small a company’s online presence is, every website is vulnerable to the same DNS hacking as the New York Times’ site. The good news is the websites of smaller companies or organizations fly under the radar and rarely targeted.  Larger targets like the New York Times, or LinkedIn, which was recently redirected to a domain sales page, are more likely targets.

For now… There is no reason to panic and prioritize securing DNS over other things right now. But there is a belief that DNS vulnerability will be something cybercriminals pick on more often down the road. Here are a few ways to stay safe:

Select a Registrar with a Solid Reputation for Security

Chances are, you purchased your domain name through a reputable registrar like GoDaddy, Bluehost, 1&1, or Dreamhost. Obviously, you need to create a strong password for when you log into the registrar to manage your site’s files. Nonetheless, recent DNS attacks are concerning because they’re far more than the average password hack.

It was actually the security of the registrars themselves that was compromised in recent attacks. The attackers were basically able to change any DNS record in that registrar’s directory. What’s particularly frightening is the registrars attacked had solid reputations. The New York Times, along with sites like Twitter and the Huffington Post, is registered with Melbourne IT. LinkedIn, Craigslist and US Airways are registered with Network Solutions. Both had been believed to be secure.

So what else can be done?

Set Up a Registry Lock & Inquire About Other Optional Security

A registry lock makes it difficult for anyone to make even the most mundane changes to your registrar account without manual intervention by a staff registrar. This likely comes at an additional cost and not every domain registrar has it available.

Ask your registrar about registry locking and other additional security measures like two factor authentication, which requires another verifying factor in addition to your login and password, or IP address dependent logins, which limits access to your account from anywhere outside of one particular IP address.

While adding any of these extra safeguards will limit your ability to make easy account change or access your files from remote locations, it may be a worthwhile price to pay.

CLICK HERE for a free network assessment and avoid cybercrime with Cognoscape.

Why it’s Time to Move on if Your Cloud Provider Won’t Sign a HIPAA BAA

/in , , , /by

68Despite new HIPAA Business Associate Agreement (BAA) regulations going into effect in 2013, many healthcare organizations are still encountering the occasional cloud service provider who refuses to sign a BAA. Although they may have a logical explanation, any refusal to sign a BAA should be seen as a red flag.

Here’s the logic from their angle. There are still many cloud vendors who view themselves more as conduits of Personal Health Information (PHI). They feel their role is more akin to that of a mailman. They’re merely transporting data to others and have no real access to the actual contents.

If the data is encrypted and cannot be read, or If they don’t touch the actual PHI data at all, the cloud service vendor will argue that HIPAA regulations do not apply to them and possibly refuse to sign a BAA.

Fair enough, right? If the data is encrypted and the vendor doesn’t hold the encryption key, what’s the problem? Well, here’s the problem.

File this in the unlikely yet not improbable category. Let’s say that the PHI data wasn’t properly encrypted before it was sent into the cloud or unencrypted data was mistakenly transferred over to the cloud service provider. If the cloud provider has refused to sign a BAA, this jeopardizes your HIPAA compliance and could potentially result in a fine anywhere from $50,000 to $1.5 million.

This is why those in the healthcare sector must move on from any cloud provider that is reluctant to sign a BAA. They are basically refusing to be complaint since the new HIPAA Omnibus Rule clearly defines a business associate as anyone who creates, receives, maintains, or transmits PHI on behalf of a covered entity. By refusing to share accountability for HIPAA compliance, they’re a liability to your organization that you just can’t afford.

CLICK HERE for a free network assessment.

 

2 Steps to Ensure Healthcare Data Availability in the Cloud

/in , , /by

66In 2013, major companies like Google, Amazon, and Microsoft experienced outages. Not only were these big name outages disruptive to users, but they also made headlines and proved to be costly to each brand. Google’s hiccup footed an estimated bill of $500,000 while Amazon’s 30-40 minute blackout contributed to roughly $3 million in losses.

2013 was also the year the healthcare industry embraced cloud computing thanks to modifications to the HIPAA Privacy, Security, Enforcement and Breach Rules. With these modifications extending the definition of a Business Associated (BA) to cloud service providers, many of the data breach concerns that had previously kept the healthcare sector from taking to the cloud have been quieted.

But as more patient health data is electronic and residing in a virtual environment, the availability of this data is just as important, if not more important, than securing it. Unlike Google, Amazon, and Microsoft, the disastrous effects of data outages in the healthcare sector can have potentially deadly consequences.

Not only is high uptime mandatory in a healthcare cloud, business continuity and disaster recovery (BCDR) plans are also crucial. The good news is the cloud’s virtualized infrastructure, coupled with the expertise and cloud monitoring of a trusted Managed Service Provider (MSP) can help healthcare organizations maintain uptime and reliability. Here are two helpful steps:

  1. Risk Assessments Are Absolutely Necessary

While risk assessments are critical to protecting patient health information, a 2012 audit conducted by the Office of Civil Rights revealed that many healthcare entities and contracted service providers fail to perform them. These evaluations must be conducted regularly and require an honest assessment of probable risks ranging from malicious cybercrime attacks to acts of nature such as natural disasters, flood, earthquakes and power outages. Analyze both the architectural vulnerabilities relative to data availability and security as well as the effectiveness of the counteractive measures in place. The goal is to minimize the plausible impact of such an event and prevent service disruption.

 

  1. Proactively Monitor for Cybercrime

It is often months before a security breach is detected. By this time, hackers have had ample time to infiltrate your system and feast on its data. Since cybercriminals use an unpredictable array of methods to strike, such as viruses, malware and phishing schemes to steal credentials, the strength of your detection system is key. Alerts should be set up to identify anomalies such as unusual application requests, forced entry attempts, suspicious spikes in traffic, and abnormal data patterns that suggest a breach. The proactive monitoring tools available through a MSP can help scan, pinpoint, and remediate such attacks.

Any BCDR plan must be built upon your organization’s recovery time objective (RTO) and recovery point objective (RPO). Your RTO is the duration of time in which your service level must be restored to avoid dire consequences. Your RPO is the maximum age of the recoverable files in storage to resume normal operations. A MSP can help determine the optimal scenario for your healthcare organization and prioritize the most critical health care information with near real-time replication.

Through this preparation and foresight, your organization can lay the groundwork to not only protect healthcare information in the cloud but potentially save patients’ lives in the event of an unforeseen outage.

CLICK HERE for a  free network assessment.

Healthcare and Cloud Computing Together at Last

/in , , , , , /by

65 For years, the healthcare industry was thought to be the very last sector to embrace cloud computing. With HIPAA compliance, storing private patient data in the cloud seemed much too risky from a security and legal standpoint. However, with a government issued mandate to migrate patient data to electronic heath records by 2015, the cost-effectiveness of the cloud was simply too logical to not entice independent practitioners and small healthcare entities now burdened by the need to invest technology and tech-savvy personnel. If only there was a way around the security and privacy concerns.

Wish granted. In January of 2013, the U.S. Department of Health and Human Services introduced a few revisions to the regulations administered under the Health Insurance Portability and Accountability Act of 1996. Labeled the “Final Omnibus Rule,” this update spelled out the legal framework to be used by healthcare organizations working with cloud service providers.

With a signed Business Associate (BA) agreement, a cloud service provider accepts the responsibility to protect patient data under HIPAA law. This expanded definition of BA means that the government can now penalize cloud service providers accountable for data breaches.

Although many healthcare organizations had already entrusted certain cloud service providers with their data, only the HIPAA covered entity (the healthcare organization) was penalized in the event of a breach prior to this ruling. While the HIPAA covered entity is still responsible for oversight, this shared accountability with the cloud service provider has expanded responsibility and has led to an influx of healthcare organizations and cloud service providers working together, worry-free, in perfect harmony.

CLICK HERE for a free network assessment.

4 Easy Ways to Boost Your Web-Surfing Security

/in , , , , /by

The internet has become more of a necessity than a luxury. With social networks becoming more popular and the usage of the internet becoming more widespread, it’s important to make sure that you’re secure online.

Here are 4 easy ways you can protect yourself online.

 

#1) Don’t Overshare

When you’re spending lots of time on your favorite social networks, it can be tempting to post lots of personal information, including your location and your full name. But sharing those kinds of things can really compromise your privacy!

Check out the privacy settings for your online profiles and make sure that your personal information is not available to the public.

 

#2) Watch Out For Scammers

Have you ever received an email from a random person stating that you were an heir set to receive a huge fortune?

Or maybe you’ve received an email from someone you don’t know that included a sob story and a desperate plea for financial help.

Either way, these types of emails are scams – the scammers use your sympathy or excitement against you, get your credit card information, and steal your money or your identity.

Make sure that you are careful about which emails you take seriously and respond to. Remember – pretty much anyone can email you. Make sure you use discretion so you can keep your money and information secure.

 

#3) Protect With Passwords

Many popular websites require you to register, create a password, and log in to gain full access. While some people see this as an inconvenience, it’s truly a good way to keep your data secure and private.

Be sure that, when you create a password, you make it one that’s difficult to guess. Use varied capitalization, use numbers, and try not to use a dictionary word. That way, you can feel confident that your accounts are safe from hackers.

 

#4) Safe Shopping

It’s important to follow best safety practices when you’re shopping online. After all, you’re likely using your credit or debit card. You don’t want that information to get into the wrong hands! Make sure that you never enter your credit card on a page that is not encrypted. When a page is encrypted, the web address will begin with “https” instead of “http.”

Also, make sure you never enter your social security number. No seller should ever need that information – if they do, it’s likely that they’re trying to scam you

Another good practice is to check out the seller’s reviews and policies. You can shop a lot more confidently if you know other people have had a good experience purchasing from the seller.

 

Why stop there? It’s good to make sure you’re secure when you’re casually using the internet, but it’s also important to make sure that your company networks are secure. I mean, you could lose your money, your clients, or even your business if a hacker accessed and used your data!

Here at Cognoscape, we’ve got the security solutions you need to gain peace of mind and keep your critical information safe. Contact us today, and let’s work together to prevent security breaches.

Keep Your IT Guy and Outsource IT Services Too

/in , , , , , /by

59Everyone in the office loves Eric. Sporting a different ironic t-shirt everyday, Eric is the one we call when technology spits in our face. Whether it’s a slow system, a bug that needs to be squashed, a website issue, or a crash that results in unexpected downtime and data loss, Eric is right there. Not only does he get to the bottom of any issue but he also rights the ship like he’s some sort of miracle-working captain who just happens to have a pretty wickedly funny Peter Griffin from Family Guy impersonation.

But business is growing and Eric is overworked. Eric has certain skills that you’d love to use to develop innovative applications and revenue-generating projects– but he’s too busy running around fixing things that break. Or he’s performing the most mundane and routine tasks day-in-and-day-out just to keep things secure and running smoothly.

You get a sense that Eric’s overburdened and he’s saddled with too many responsibilities. His demeanor has changed from pleasant to moody. He’s listening to angrier metal and punk music and you’re noticing cracks in his work. You fear Eric is being pulled in too many directions and the reliability of your server, network, and applications, as well as the integrity of your data, are all at risk.

Someone who has watched a bit too much of Donald Trump on The Apprentice might think Eric should be fired. We’re not going to fire Eric. But we’re also not going to hire a full-time salaried Robin to his Batman or Cheech to his Chong. We’re going to help Eric by exploiting IT automation and managed services to handle many of the monotonous tasks making Eric hate his job right now.

Let’s help Eric…..

  • Focus Primarily on Cost-Cutting and Revenue Increasing Projects: First things first, Eric has to realize that he can’t do everything himself. Where are his skills best used? Whether it’s processes that help drive down costs or ones with the potential to raise revenue, evaluate the projects in the queue and rank them by what impacts the bottom line the most. Once that’s done, look at the day-to-day processes designed to keep things running securely and efficiently. What can be off-loaded from Eric? Determine which of those tasks can be automated either through the cloud or managed services.
  • Take to the Cloud: Some IT people fear the cloud spells the end to their job security. Meanwhile, the cloud can actually help them take on a more prominent contributing role in the company’s success. The cloud should be seen as another tool that further eliminates the mundane yet necessary daily drudgery from their workday. Those who work WITH the cloud will find that they have more available time to take on more meaningful cost cutting or revenue generating projects.

Use a Managed Service Provider: Using outsourced managed services not only alleviates much of Eric’s pressure and stress, but also boosts productivity and gives the company a much improved ROI (Return-on-Investment) on their technology investment. While technology has gotten easier for the end user, it has become more complex on the backend with the advent of virtualization, cloud computing, and advanced infrastructure. Using an MSP gives Eric access to a trusted advisor, a 24/7 help desk, remote monitoring and management tools, mobile device management tools, and much better disaster recovery and business continuity solutions. All without the overhead that comes with hiring more help for Eric. MSPs offer a consistency to not just your end-user but also your main IT guy who will certainly appreciate the help.

CLICK HERE for a network assessment.

4 Steps To Improve SMB Data And Network Security

/in , , , /by

 TO STAY SECURE – A GOOD DEFENSE IS THE BEST OFFENSE

SMBs must understand that the time has come to get serious with their security. Sadly, many small businesses have a false sense of security. In the McAfee/ Office Depot joint survey of 1000 SMBs, over 66% were confident in the security of their data and devices despite admitting to obvious flaws.

Cybercrime is only one cause of compromised data. There are 3 primary causes of breached security at businesses according to the June 2013 Symantec Global Cost of a Data Breach study. Only 37% are attributed to malicious attacks. The remaining 64% are human error and technology errors.56

Data breaches aren’t always about bad people doing bad things. Many are the result of good employees making mistakes or of technology failure. SMBs don’t necessarily need a large budget or dozens of employees to adequately protect sensitive data. A secure environment is possible even on a SMBs budget. Here are a few steps to improving data and network security.

STEP 1

KNOW ALL DEVICES CONNECTING TO YOUR NETWORK

Keep a frequently updated list of every device that connects to your network. This inventory is especially important given today’s BYOD (Bring-Your-Own-Device) workplace where employees can access your network through several different devices. Knowing what these devices are and ensuring they’re all configured properly will optimize network security.

All it takes is a regularly scheduled review to add or remove any devices and affirm that every endpoint is secure. Much of thisprocess can be inexpensively automated through a Mobile Device Monitoring (MDM) tool. A MDM tool will approve or quarantine any new device accessing the network, enforce encryption settings if sensitive information is stored on such a device, and remotely locate, lock, and wipe company data from lost or stolen devices.

STEP 2

EDUCATE & TRAIN EMPLOYEES

57Every employee should participate in regular general awareness security training. This will not only reduce security breaches directly tied to employee error or negligence but also train employees to be on the defense against cybercrime. Employees are critical to your security success and the prevention of data breaches. Hackers commonly break into networks by taking advantage of unknowing employees. Phishing attacks – legitimate looking emails specifically crafted to mislead recipients into clicking a malicious link where they’re asked to provide their username and password – are still successfully used by hackers to capture login credentials.

If a large company makes the news for a data breach tied to an infected email, be sure to share that news with employees with a warning. Come up with fun ways to teach employees how to identify spear-phishing email attempts and better secure their systems and devices.

It is also important to have a security policy written for employees that clearly identifies the best practices for internal and remote workers. For example, password security is critical and passwords should be frequently updated to a combination of numbers, lower case letters and special characters that cannot be easily guessed. Security policy training should be integrated into any new employee orientation. This policy should be updated periodically. More important than anything, this security policy must be enforced to be effective.

STEP 3

PERFORM AN AUDIT OF SENSITIVE BUSINESS INFORMATION

If you want to keep your most sensitive business information secure, it’s important to know exactly where it’s stored. A detailed quarterly audit is recommended.

STEP 4

USE CLOUD AND MANAGED SERVICE PROVIDERS

Overall, the cloud is likely a more secure data solution for small business. Any conception that the cloud isn’t safe is outdated. Most of 2013’s security breaches were the result of lost or stolen devices, printed documents falling into the wrong hands, and employee errors leading to unintended disclosures. It’s fair to speculate that many of these breaches wouldn’t have occurred had this information been stored in the cloud rather than computers, laptops, and vulnerable servers.

SMBs with limited budgets are actually enhancing their security by moving to the cloud. Since there is no way a SMB can match a large enterprise’s internal services, moving services like emails, backups, and collaborative file sharing to the cloud not only reduces total-cost-of-ownership, but gives access to top-level security to better defend against internal and external threats.

Meanwhile, a Managed Service Provider (MSP) can assume responsibility for security measures like the administering of complex security devices, technical controls like firewalls, patching, antivirus software updates, intrusion-detection and log analysis systems.

MSPs are also capable of generating a branded risk report for any potential client or business partner reviewing your security measures. This third party manual assessment of your network security can instill confidence in prospective business partners by proving to them that any possible security risks or vulnerabilities will be properly managed and addressed.

CLICK HERE for a free network assessment.

Top 3 Benefits of Network Security Services

/in , , , /by

If you’re running a business, you need to make sure that your network is secure – there’s no question about it.

Imagine. What would happen if a hacker infiltrated your network and accessed your critical data? You could lose that data or, even worse, you could lose your company!

Don’t leave your company vulnerable and risk losing everything you’ve worked so hard for. There are several ways your company can benefit from network security services – here are the top 3.

 

#1: Peace of Mind

It can be a challenge to safeguard your business from security threats since hackers are constantly devising new ways to steal data and wreak havoc on businesses.

So, what can you do about these security threats?

Luckily, you don’t have to face them alone. By taking advantage of network security services from Cognoscape, you can gain the peace of mind that you need. You’ll be able to sleep well at night knowing that your network is not at risk and your valuable company information is safe from harm.

 

#2: Productivity

When you aren’t dealing with security breaches and network security issues, you’ll be able to empower your employees to be more productive. You’ll also save your software and hardware from harm caused by security breaches.

Instead of dealing with downtime and the stress of losing critical data, you and your employees can focus on your job duties. That way, everyone can work as efficiently as possible instead of being unnecessarily disrupted.

 

#3: Compliance

Every company has certain regulations in place that are set to improve efficiency.

Here at Cognoscape, we understand that adhering to the security compliance regulations for your industry is not an option – it’s a necessity. You can trust that the security solutions you’ll receive from Cognoscape will meet all of the security compliance regulations necessary.

 

It’s easy to see how network security can lift a huge burden from your shoulders and improve your company processes. Contact Cognoscape today for a network security solution, and let’s work together to help your business succeed.

Is That Email A Phishing Scheme?

/in /by

49Research has revealed that over half of all users end up opening fraudulent emails and often even fall for them. Phishing is done with the aim of gathering personal information about you, generally related to your finances. The most common reason for the large number of people falling for fraudulent emails is that the phishing attempts are often so well-disguised that they escape the eyes of a busy email reader. Here are a few tips that help you identify whether that email really came from your bank or is another attempt at defrauding you…

1. They are asking for personal information – Remember, no bank or financial institution asks you to share your key personal information via email, or even phone. So, if you get an email where they ask for your ATM PIN or your e-banking password, something’s amiss.

2. The links seem to be fake – Phishing emails always contain links that you are asked to click on. You should verify if the links are genuine. Here are a few things to look for when doing that:

  • Spelling – Check for the misspellings in the URL. For example, if your bank’s web address is www.bankofamerica.com, a phishing scheme email could misspell it as www.bankofamarica.com or www.bankofamerica-verification.com
  • Disguised URLs – Sometimes, URLs can be disguised…meaning, while they look genuine, they ultimately redirect you to some fraudulent site. You can recognize the actual URL upon a mouseover, or by right clicking on the URL, and selecting the ‘copy hyperlink’ option and pasting the hyperlink on a notepad file. But, NEVER ever, paste the hyperlink directly into your web browser.
  • URLs with ‘@’ signs – If you find a URL that has an ‘@’ sign, steer clear of it even if it seems genuine. Browsers ignore URL information that precedes @ sign. That means, the URL www.bankofamerica.com@mysite.net will take you to mysite.net and not to any Bank of America page.

3. Other tell-tale signs – Apart from identifying fake URLs, there are other tell-tale signs that help you identify fraudulent emails. Some of these include:

  • Emails where the main message is in the form of an image, which, upon opening, takes you to the malicious URL.
  • Another sign is an attachment. Never open attachments from unknown sources as they may contain viruses that can harm your computer and network.
  • The message seems to urge you to do something immediately. Scammers often induce a sense of urgency in their emails and threaten you with consequences if you don’t respond. For example, threat of bank account closure if you don’t verify your ATM PIN or e-banking password.

4. Finally, get a good anti-virus/email protection program installed. It can help you by automatically directing spam and junk mail into spam folders and deactivating malicious attachments.

CLICK HERE for a free network assessment.