In our last blog we started talking about the different layers of security necessary to fully defendyour data and business integrity. Today we will look at the human aspect of it, and networkdefenses. The human layer refers to the activities that your employees perform. 95% of securityincidences involve human error. Ashley Schwartau of The Security Awareness Company saysthe two biggest mistakes a company can make are “assuming their employees know internalsecurity policies” and “assuming their employees care enough to follow policy”.
Here are some ways Hackers exploit human foibles:
guessing or brute-force solving passwords
tricking employees to open compromised emails or visit compromised websites
tricking employees to divulge sensitive information
For the human layer, you need to:
enforce mandatory password changes every 30 to 60 days, or after you lose an employee
train your employees on best practices every 6 months
provide incentives for security conscious behavior.
distribute sensitive information on a need to know basis
require two or more individuals to sign off on any transfers of funds,
watch for suspicious behavior
The network layer refers to software attacks delivered online. This is by far the most commonvector for attacks, affecting 61% of businesses last year. There are many types of malware:some will spy on you, some will siphon off funds, some will lock away your files.
However, they are all transmitted in the same way:
spam emails or compromised sites
“drive by” downloads, etc.
To protect against malware
Don’t use business devices on an unsecured network.
Don’t allow foreign devices to access your wifi network.
Use firewalls to protect your network
Make your sure your WiFi network is encrypted.
Use antivirus software and keep it updated. Although it is not the be all, end all of security, it will protect you from the most common viruses and help you to notice irregularities
Use programs that detect suspicious software behavior
The mobile layer refers to the mobile devices used by you and your employees. Securityconsciousness for mobile devices often lags behind consciousness about security on otherplatforms, which is why there 11.6 million infected devices at any given moment.
There are several common vectors for compromising mobile devices
To protect your mobile devices you can:
use secure passwords
use reputable security apps
enable remote wipe options.
Just as each line of defense would have been useless without an HQ to move forces to wherethey were needed most, IT defense-in-depth policy needs to have a single person, able tomonitor each layer for suspicious activity and respond accordingly.
In the 1930s, France built a trench network called the Maginot Line to rebuff any invasion. Thephilosophy was simple: if you map out all the places an enemy can attack, and lay down a lot ofmen and fortifications at those places, you can rebuff any attack. The problem is, you can’t mapevery possible avenue for attack.
What does this have to do with IT security? Today many business owners install an antivirusprogram as their Maginot Line and call it a day. However there are many ways to get into anetwork that circumvent antivirus software.
Hackers are creating viruses faster than antivirus programs can recognise them (about 100,000new virus types are released daily), and professional cybercriminals will often test theircreations against all commercially available platforms before releasing them onto the net.
Even if you had a perfect antivirus program that could detect and stop every single threat, thereare many attacks that circumvent antivirus programs entirely. For example, if a hacker can getan employee to click on a compromised email or website, or “brute force guess” a weakpassword, all the antivirus software in the world won’t help you.
There several vulnerabilities a hacker can target: the physical layer, the human layer, thenetwork layer, and the mobile layer. You need a defense plan that will allow you to quicklynotice and respond to breaches at each level.
The physical layer refers to the computers and devices that you have in your office. This is theeasiest layer to defend, but is exploited surprisingly often.
Here are a few examples:
Last year 60% of California businesses reported a stolen smartphone and 43% reported losing a tablet with sensitive information.
The breaches perpetrated by Chelsea Manning and Edward Snowden occurred because they were able to access devices with sensitive information.
For example, Comptia left 200 USB devices in front of various public spaces across the country to see if people would pick a strange device and insert into their work or personal computers. 17% fell for it.
For the physical layer, you need to:
keep all computers and devices under the supervision of an employee or locked away at all times.
Only let authorized employees use your devices
Do not plug in any unknown USB devices.
destroy obsolete hard drives before throwing them out
Next time in Part II, we will talk about the human and network layers of security.
There are some things that only people can fix. There are many security risks to which yourdata is susceptible, but there is one method that remains a wonderfully effective hacking tool.That is the phishing scam. This is a legitimate looking email that asks the reader to click on alink. If clicked, the link can infect the user’s computer with malicious software that can stealpasswords, logins, and other critical data. Alternatively, the email appears to be from alegitimate source, perhaps even duplicating a legitimate webpage. The distinction is that thephishing email asks the user to enter personal information, including passcodes. In either case,that is how hackers easily get into your systems.
What’s the best defense against this one? The single biggest defense is education. Trainingyour people to be constantly wary of all the emails they receive. One way some firms areeducating their people is by sending out their own “fake” phishing scams. Employees who clickon the link inside are greeted with a notice that they’ve fallen for a phishing scam and then areoffered tips how not to be fooled in the future. Think of it as the hi-tech version of Punk’d.
You may not be ready to go that far, but it is important to provide ongoing training to all of yourstaff about phishing scams. Your staff are all critical factors in your data security plans.
This cyberattack scheme hasn’t garnered nearly as much attention as the usual “break-in-and-steal-data-to-sell-on-the-Internet version,” but it can be even more debilitating. Ransomware attacks have begun appearing in the last few years and its practitioners are so polished that in few cases they even have minicall centers to handle your payments and questions.
So what is ransomware? Ransomware stops you from using your PC, files or programs. Thebusiness model is as old as the earliest kidnapping. They hold your data, software, or entire PC hostage until you pay them a ransom to get it back. What happens is that you suddenly have no access to a program or file and a screen appears announcing your files are encrypted and that you need to pay (usually in bitcoins) to regain access. There may even be a Doomsday-style clock counting down the time you have to pay or lose everything.
Interestingly, one of the more common “market segments” being targeted in the US has been public safety. Police department data is held hostage, and in many cases, they have given up and paid the ransom. They had little choice. They aren’t the only ones. A hospital in Southern california also fell prey, as did one in Texas.
Ransomware can be especially insidious because backups may not offer complete protectionagainst these criminals. Such new schemes illustrate why you need to have a professional security service that can keep you up to date on the latest criminal activities in the cyber world. Talk to an MSP about possible protections against ransomware.
You hear on the news all of the time about big cyber attacks on large corporations, and evengovernment agencies.The trouble with this news coverage is that is suggests a distorted view ofwhere cyber attacks are taking place. These attacks are not solely hitting large organizations.Small firms represent a significant portion of those who face cyber attacks. Being small by nomeans keeps you immune. In fact, small firms can be used as conduits to larger organizations.That is likely what happened in the case of Target Corporation in 2013
If you’re a small business, then you’re a target for cyber criminals. Last year, 71% of small tomedium size businesses were the victims of Cyber attacks.
Today’s concern is how you would respond to an attack. 31% of small to medium businesses donot have a plan of action for responding to IT security breaches, and 22% admit that they lackthe expertise to make such a plan. A data breach is disastrous.
Your response determines whether it’s a survivable disaster. You need to have a statement forcustomers ready, (47 states require businesses to disclose data breaches), you need to be ableto quickly access backups, and you need access to professionals with experience in disasterrecovery and business continuity.
Hearing “all of your confidential information is extremely vulnerable, we know this because…” isbad news, but whatever follows the ellipses determines just how bad. Consider two scenarios.
“All of your confidential information is extremely vulnerable… we know this because ahacker took all of your customers’ credit card info and locked all of your files behind ransomware.”
“All of your confidential information is extremely vulnerable…we know this because wedid a vulnerability scan of your network, and have some suggestions on how your can improve.” 61% percent of small businesses are victimized by cyber attacks each year, and one in five victims do not survive. It is financially worthwhile to make sure that you end up being the person hearing the latter sentence.
Scenario 2 describes the statement after you have had a vulnerability test conducted. Avulnerability test is a comprehensive audit of security flaws that a hacker could exploit, and the possible consequences. This is the equivalent of a doctor giving a physical examination. This information will allow you to know what your risks are and plan your security policies accordingly.
Vulnerability tests should be conducted quarterly, and can be done by in-house IT or outsideconsultants.They should be done quarterly, or whenever you are incorporating new equipment into your IT network.
What is a pen-test: A pen-test is a simulated attack on a network to test the strength of its security. Usually, the pen-tester will have a specific objective (e.g. “compromise this piece of data…) A vulnerability scan tell you “what are my weaknesses?” and pentest tells you “how bad a specific weakness is.”
How often should you pen-test: Different Industries will have different government mandated requirements for pentesting. One of the more broad reaching regulations, the PCI DSS, for example, requires pen-testing on an annual basis. However, it is prudent to go beyond the legal minimum. You should also conduct a pen-test every time you have
Stay Secure My Friend… More Hackers Targeting SMBs
Many SMBs don’t realize it, but the path to some grand cybercrime score of a lifetime may go right through their backdoor. SMBs are commonly vendors, suppliers, or service providers who work with much larger enterprises. Unfortunately, they may be unaware that this makes them a prime target for hackers. Worse yet, this may be costing them new business.
Larger companies likely have their security game in check, making it difficult for hackers to crack their data. They have both the financial resources and staffing power to stay on top of security practices. But smaller firms continue to lag when it comes to security. In many cases, the gateway to accessing a large company’s info and data is through the smaller company working with them. Exposed vulnerabilities in security can lead cybercriminals right to the larger corporation they’ve been after.
Cybercriminals Target Companies with 250 or Fewer Employees
In 2012, Symantec research confirmed that cybercriminals are increasingly targeting smaller businesses with 250 or fewer employees. Attacks aimed at this demographic practically doubled from the previous year. This news has made larger enterprises particularly careful about whom they do business with. This means that any SMB targeting high-end B2B clientele, or those seeking partnerships with large public or government entities, must be prepared to accurately answer questions pertaining to security. This requires an honest assessment of the processes taken to limit security risks.
View Security Measures as Investments
CIOs must start viewing any extra investment to enhance security as a competitive differentiator in attracting new business. Adopting the kind of security measures that large enterprises seek from third-party partners they agree to work with will inevitably pay off. The payoff will come by way of new revenue-generating business contracts that will likely surpass whatever was spent to improve security.
Would-be business partners have likely already asked for specifics about protecting the integrity of their data. Some larger entities require that SMBs complete a questionnaire addressing their security concerns. This kind of documentation can be legally binding so it’s important that answers aren’t fudged just to land new business. If you can’t answer “yes” to any question about security, find out what it takes to address that particular security concern.
Where a Managed Service Provider Comes In
Anyone who isn’t yet working with a Managed Service Provider (MSP) should consider it. First, a manual network and security assessment offers a third-party perspective that will uncover any potential business-killing security risks. A good MSP will produce a branded risk report to help you gain the confidence of prospects to win new business.
A MSP can properly manage key elements of a small company’s security plan. This includes administrative controls like documentation, security awareness training, and audits as well as technical controls like antivirus software, firewalls, patches, and intrusion prevention. Good management alone can eliminate most security vulnerabilities and improve security.
Cloud Monitoring Can Be the Difference Maker for SMBs
It’s a fast-paced world. Not only do people want things, they want things right now. This sometimes-unnerving need for instant satisfaction has only intensified now that we have Wi-Fi and mobile devices that keep us connected regardless of where we are, what we’re doing, or the time of day. There is no longer any tolerance whatsoever for waiting. A business with a website that fails to load, or loads too slowly, will lose customers and leads to competitors.
So what has your business done to address this need for constant accessibility and optimal uptime? Do you feel you’re doing enough to meet the demands and expectations of your customers, new business prospects and those who have just now found you on Google?
If you’re a small-to-medium sized business owner, do you have confidence in your technology infrastructure? Can you say with certainty that your website, internal server, and mobile applications function smoothly, efficiently, and correctly?
When your IT team leaves work to go live their lives, are you confident that things won’t go bump in the night? That you won’t be ringing their cell phone while they’re out having dinner with their family, or worse yet, sleeping?
If you answer no to these questions, you may be one of the many small business owners who could benefit from cloud monitoring. And you’ll be pleased to learn that cloud monitoring can significantly improve all facets of your business – especially your service, productivity, reputation, and profitability.
What is the Cloud?
According to a study conducted by Wakefield Research, 54% of those questioned responded that they’ve never used cloud technology. However, the truth is that they’re in the cloud everyday when they bank or shop online and send or receive email.
Business owners, specifically non tech savvy small business decision makers, are still apprehensive when it comes to moving their server and web monitoring services to the cloud. But FDR’s famous quote, “The only thing we have to fear is fear itself,” definitely applies here. The cloud is nothing more than moving the storage and access of your data programs from a computer’s physical hard drive to the web. There is nothing to fear.
Benefits of Cloud Monitoring
Obviously, these physical and virtual servers, their shared resources, and the applications they run on, must be monitored. This can be done from multiple remote locations and it’s called cloud monitoring.
Cloud monitoring makes it easier to identify previously unseen patterns and potential problems within your infrastructure–issues that may be too difficult for any in-house support staff to detect. For instance, monitoring ensures that your site is delivering accurate page content and is meeting anticipated download speeds. It can detect unapproved changes, website tampering, and compromised data.
The continuous analyzing and testing of your network, website, and mobile applications can reduce downtime by as much as 80%. The speed and functionality of e-commerce transactions are also optimized. Additionally, cloud monitoring tests your email server at regular intervals, which minimizes failure deliveries and other issues pertaining to sending and receiving emails.
Clearly, all of the above, along with the alerts that help identify and fix issues before they become catastrophes, make cloud monitoring an attractive way to gain insight into how end-users experience your site, while also enhancing their overall experience.
Why Hybrid Clouds are More Than Just Another Trend
It should come as no surprise that many small to midsize business owners take pride in overseeing every aspect of their startup business. Naturally, many are apprehensive when it comes to surrendering control of their servers, their data, and their applications.
The downside of this need for control is that operating and maintaining everything onsite can be time consuming, super expensive, and it can make your business more vulnerable to failure related downtime and cyber threats.
Although everything can be stored in the cloud at a fraction of the cost, many aren’t responsive to the idea of sharing the infrastructure their technology runs on.
The great thing about the cloud is it’s not an all or nothing thing. This is exactly why so many small to midsize businesses have turned to hybrid cloud solutions. Just as they name implies, hybrid cloud solutions are both on and off premises. It’s the best of both worlds. An entrepreneur can still control certain aspects of the business on-site, but simultaneously exploit the cloud’s cost effectiveness and overall scalability.
For example, a local server like Windows Server 2012 can be housed and managed on-site but that server, or just specific files, can still be backed up in the cloud with Microsoft Windows Azure and stored far away off-site. This provides a partial disaster recovery solution in the event of a hurricane, flood, fire, or just a basic server crash.
Here are some tips for developing your hybrid cloud strategy
Honestly assess the current IT strategy – Over time, as your business grows and technology advances, your well-planned and neatly arranged IT infrastructure transforms into a disorganized mishmash of different servers and disconnected software and tools. View this almost as the spring-cleaning of a cluttered garage. What systems or applications are critical to your business right now and which ones no longer support your current or future business initiatives?
Know what you want to keep close – Every business will be different in this regard. Certain companies will prefer keeping large files in-house, in a more controlled private cloud, for easy access but may be okay with having their emails out there in the cloud or vice versa.
See how others are leveraging a hybrid cloud environment – New services once only available to large enterprises are now available to SMBs. This presents an extraordinary opportunity to be more agile, flexible, and better suited for new business opportunities and growth. Remote monitoring, 24/7 support, and disaster recovery solutions can be easily integrated within a hybrid-computing environment – regardless of operating systems, server types, or mobile devices used.
Staged implementation – Be sure to plan your hybrid cloud strategy as a multi-year plan that is deployed in phases. For example, in the beginning, private controlled access to a public cloud service can be granted to internal application developers experimenting with a new business initiative. Or a new customer relations management SaaS (Software as a Service) application can be implemented.
This is the year that even small or midsize enterprises are getting serious about cloud operations and a strategic mix of public cloud services and private cloud may make the transition easier.
Why More SMBs are Turning to the Cloud to Reduce TCO
More small and mid-size businesses (SMBs) seem to be taking the initiative to learn more about the benefits of the cloud. Determining why SMBs have this sudden keen interest in the cloud isn’t all that tricky.
If you shouted, “Cost Savings!” in a room full of SMBs, you’d undoubtedly be the center of attention. And it seems as if this is also the motivating factor as to why more SMBs are looking into cloud-based solutions to reduce expenditures.
Although it seems like an oxymoron to recommend investing in new technology to control costs, cloud-based solutions can be leveraged for a greater return on already inevitable operational expenses. By enhancing productivity and overall efficiency, the cloud could help spur business growth and profitability.
Here are few of the reasons more SMBs are opening up to cloud-based solutions…
Containing Costs – This is the big one. Every SMB wants their business to grow but that growth is accompanied by rising costs to maintain safe, reliable, and sustainable business technology.
On-premise solutions are expensive. If you’re paying someone $60K a year to manage and monitor your technology, and most of their day is spent performing routine maintenance tasks or running to the aid of the intern who complains that something is running slow, are you really getting a return on that investment? You can do better and your on-site IT support can do more for you.
The cost for cloud-based solutions have been found to be anywhere from 35% to 50% lower than with on-premise solutions. This is because the cloud can completely eliminate most infrastructure costs such as servers, databases, backup, operating systems, upgrades, migration, physical space, power and cooling, and associated in-house or third party staffing costs.
Greater Flexibility – No doubt you’ve been privy to an office Happy Hour conversation or two about Infrastructure-as-a-Service (Iaas) and Platform-as-a-Service (PaaS). Is that crickets we hear? Okay, well since you’re in the dark, the flexibility of the cloud makes it really attractive to SMBs. IaaS and PaaS are two increasingly popular cloud technologies because of their flexibility when it comes to big data analysis.
IaaS technology is flexible as it allows an as needed rapid deployment of resources. Basically, fast expansion to accommodate growth. SMBs can pay accordingly for this on-demand usage, giving them the ability to access and analyze the kind of big data seen at larger enterprises without having to pay for necessary hardware capacity.
PaaS technology gives SMBs the ability to affordably increase or decrease data storage capacity as needed.
Of course, there must be a need for big data analysis that justifies the use of these technologies. Many SMBs may be just fine using Microsoft Excel for data analysis.
Greater Mobility – Many SMBs are turning to the cloud to provide remote employees with access to communications solutions. Through the cloud, remote workers can use smartphones, laptops, and notebooks to access documents and files for internal and external collaboration.
As you can see, it’s understandable why the cloud is being seen by SMBs as the “great equalizer” to take their business to the next level and stay competitive with even the big dogs despite budget and staffing limitations. It also helps that cloud-monitoring services have simplified the monitoring and management of SMB cloud deployments, alleviating a lot of the fear about migrating to the cloud.