Data Security

Is your business as safe as you think it is? What you need to know to keep your company secure.

With the increase in cyber threats, coupled with the confusion and lack of knowledge about cybersecurity, how do you know if your company is secure?  How do you know if you’re doing the right things at the right time?  The whole topic of cybersecurity is overwhelming and there’s not anything “fun” about it. So, it’s easy to avoid, but at what real risk to the company?

Monsters!

CyberMonsterDespite all the statistics that point to the fact that businesses, without the proper security measures, will likely suffer from a cyberattack, cyber threats are still being viewed as scary, but unlikely to occur. Most businesses still see a cyberattack as the monster under the bed, and cybersecurity as protection against the highly unrealistic possibility that there will ever actually be a monster under the bed. But unfortunately, these “monsters” are very real, and the number of attacks continues to escalate. It’s critical for businesses to have the correct security measures in place to keep the “monsters” from being able to even enter the front door.

One security solution does NOT fit all

Be cautious of cybersecurity providers who offer the same solution to every client. Every company is different, so expectations should be set based on many factors: size of the business, type of business, industry, etc. Also, no two businesses require the same IT solutions, support, software, or hardware. So, having tailored and specific IT security is crucial.

Is your business insecure?

If you’re reading this blog, then you’ve been warned! Now, what are you going to do about it? If you want to keep your business safe from cyber threats, knowing your risk level is a good first step to take before addressing each risk.

The following questionnaire addresses this by asking some basic questions that any business owner or management team should be able to answer.  While some of the topics are technical in nature, the questions are driven from a focus on the business itself.Questionnaire

Cybersecurity Preparedness Questionnaire

Answer each question below and tally your score. After completing the questionnaire, total your score to determine the level of risk for your company.

Yes: 0 points  No: 5 points  Unsure: 5 points

  1. Do you have a cybersecurity budget review annually?
  2. Do you have a written information security policy signed by every employee?
  3. Has your company reviewed its cybersecurity policies and procedures within the last year?
  4. Do you have a person designated as your security officer?
  5. Do you have a written incident response plan that is reviewed annually?
  6. Have you tested your incident response plan within the last 12 months?
  7. Do you know if you have any compliance or regulatory requirements?
  8. Have you defined the level of cybersecurity needs based on your business and compliance requirements?
  9. Have you provided security training to your employees in the past 12 months?
  10. Do you provide security training to employees on an annual basis?
  11. Can you employees identify sensitive information that could compromise the company if stolen?
  12. Do you know where your sensitive data is stored?
  13. Do you have cyber insurance that is reviewed annually?
  14. Are employees prevented from administrative privileges on your network or computers?
  15. Does your company have an acceptable use policy?
  16. Does your company consistently enforce policies around the acceptable use of computers, email, internet?
  17. Do employees regularly update passwords on company-issued computers/devices?
  18. Do your employees lock their computers when away from their desk, even for a few minutes?
  19. Do all your computers have anti-virus software that is regularly updated?
  20. Does your company have data backups onsite and offsite verified at least once a year?

Low Risk: 0-10 Moderate Risk: 15-25 High Risk: 30-50 Escalated Risk: 55-100

What now?

Once you’ve identified your risk level, what now?  If you answered “unsure” to any of the questions, do the necessary research to confirm the answer.  Once you have a “Yes” or “No” answer for every question, you will have a better idea of your true exposure and can begin prioritizing which areas to address first to mitigate the risk.

Don’t put your head in the sand!Headinsand

If you didn’t score a 10 or below, then getting to the green, (low risk range), won’t happen overnight. It takes time and, most importantly, full commitment and buy-in from ownership and senior leadership. But, as I mentioned, cyber threats are not imaginary monsters. So, don’t pretend they don’t exist and hope that nothing bad will happen. At Fluid, we understand the process can be overwhelming. Even determining the priority of what to do first can be a challenge. Luckily, we have a team of experts dedicated to cybersecurity. So, please feel free to reach out to us for help. Don’t wait until it’s too late!

Happy #$%@ New Year’s!! My Money is Gone!

HoodedHackerThis scam is downright scary!

Time is of the essence on this blog, so I tried to find a title that will grab your attention. I hope it did. I don’t get overly dramatic in my blogs, but this one is warranted for how bad it is. I also try to use graphics to break things up a bit, but I didn’t want to spend more time trying to make things “artsy”.

If you’re going to read anything, please read this. It might just save you thousands of dollars.

A small business owner and close friend of mine, we’ll refer to as “Joe”, texted me on December 22nd, (yes, right before Christmas), livid he had been conned out of thousands of dollars by a very elaborate and well executed scam. Now Joe is no dummy and pulling one over on him is no small task, but the detail these scammers deployed was no match for even an astute businessman.

So what happened?

The target, Joe, uses Chase Bank for his business and personal finances, which becomes important later.  All the money in both his personal and business accounts was stolen within minutes! How?... Joe gave the hackers the information they needed to steal it.

The chain of events.

Joe received a call from Chase Bank’s “Fraud Department” stating there was suspicious activity on his account, and transactions were made in a foreign country. Joe then explained that had recently been to Mexico on vacation – a common destination when you live in Texas.

Being a diligent and rightfully cautious person, Joe checked the number calling him and it matched the phone number on the back of his Chase credit card. The hook was set!!

The “Chase representative” stated because there were fraudulent attempts on his account, he needed to close both accounts, personal and business, and transfer the money to new, “safe” accounts. Then, the representative said he would text Joe a code for him to read back, which once again came from a legitimate number.  A two-factor authentication, using texted codes, to a mobile number is common practice, and no cause for alarm.  The representative then used this code to access both accounts and change the real password, one the hacker could then use.

In real time, the hacker used the common online payment app, Zelle, to clean out both personal and business accounts. It should also be noted that the scammer on the phone spoke excellent English and sounded legitimate, which is another well thought out tactic and different from the obvious “rich uncle” accents from Eastern Europe or other countries.

Worst nightmare!

Now being suspicious, Joe went into a Chase branch location and they verified that it was, in fact, NOT Chase. The real Chase representative mentioned this was the second time in a few days they have dealt with this same scam.  Panic now set in!

Pain and no gain.

While in the branch location, Joe had to immediately close all his accounts, open new accounts, while simultaneously working with the bank’s fraud department to try and reverse the transfers to get his money back.

When the Chase fraud department did their initial forensics, they discovered the transfer was made using a relative’s name.  This means the hackers gained full access to the account information, including the list of approved people and accounts to transfer money to and from.  Because the hackers chose a relative as the person receiving the funds, Chase would not escalate until Joe could confirm and ‘prove’ funds were not transferred to the family member as a legitimate transfer. The hackers purposely chose a family member knowing it wouldn’t get escalated.

It’s important to note that the phone number showing on Joe's caller ID matched the number on his Chase credit card.  At one point, Joe hit ‘call back’ feature on his phone to automatically dial the Chase number, which was directed back to the fraudsters (a tactic called number spoofing). The Chase fraud department advised Joe to always manually dial the number and not use the automatic call back feature on your mobile phone to ensure that you’re calling the correct number. In addition to closing his accounts and opening new accounts, Joe also has to identify and contact the numerous legitimate personal and business vendors and payers he works with to update their new account information.  More pain.

At the time of this blog, the success of reversing the scam is unknown. The bank stated it would take up to 30 days to determine if Joe would get the money back. To add insult to injury, Joe is also now locked out of online banking for 60 days.

This is one of the most elaborate and well thought out cons I’ve ever seen, requiring multiple people who know exactly how people use banking, and more importantly, people who know exactly how banks and their fraud departments work.  They were always one step ahead of the victim and I’m certain there are more to come!  So be diligent, be doubtful, beware.

Recession Obsession

If you’ve been alive 10 years, you’ve been through a recession – the Great Recession actually.  If you’ve been alive 20 years, you’ve been through two recessions.  30 years on the planet will give you…you guessed it, three recessions.  Although recessions do seem to be cyclical, they don’t always happen every 10 years. Over the last 50 years, there have been 7 recessions.

Gas Lines and Baby Food Jars

RecessionThe ramifications of a recession also change over time. Being 53 years old, I recall my grandparents saving every coffee can, baby food jar, and plastic container to repurpose and use for storing things throughout the house.  As products of the Great Depression, they were raised to literally save everything.  I can also distinctly recall having to wait in long lines for gas during the recession in the 1970’s.  My father and I would park the car in line at the gas station and go to the nearby strip mall to kill time for two hours while we waited for the line to move.

Although not a recession, I recall Black Monday in 1987 when the stock market dropped over 22%.  I was working at a financial planning firm at the time and that was not a good day, and not just because it was Monday.

Dot Bomb Bubble Burst

In the early 2000’s, the dot com bubble burst, and turned into the dot “bomb”.  It seemed like anyone with a web-based idea was given millions of dollars in funding without having to show any DownGraphprofits (a scenario which still occurs today).  eToys.com, Webvan.com, Pets.com, and many more all wiped out almost overnight.

Most recently, we can all recall, if not relate, to the Great Recession that occurred in 2007-2009 when the housing bubble burst due to the subprime mortgage crisis.  The term “government bailout” became a major thorn, and the nemesis for many household brands.  Many are still recovering from this economic meltdown. However, the prosperity over the past 10 years has dulled some of the sting.

But, some are now warning us that the great run we have enjoyed may be slowing down, and we’re potentially headed for a recession.  Search Google for “Recession 2019” and you’ll find blue-chip names discussing the very likely possibility that a recession is looming.

Before it's too late!

CrisisI have owned a technology company, Fluid IT Services, for the past 17 years, and we felt the impact of the 2007 recession – but in an interesting way.  We provide IT solutions and support for small to mid-sized businesses, and the cost of our services is typically less than the cost of one full-time employee. Although we lost the clients who unfortunately went out of business, we gained new clients who needed to cut costs and couldn’t afford full-time IT staff.

We certainly had to cut costs ourselves and manage everything more tightly, but we were okay because our risks were spread sufficiently, and we provide a service that is “recession friendly”.  We continued to grow as the economy improved, but always with a keen eye on our market segment and the economy as a whole.

As the economic signs, signals, metrics, statistics, etc. started showing a downturn, we’ve used it as an opportunity to get our business in order.  It’s much easier to evaluate all your people, processes and technology-related costs, and make sure that your business is operating as efficiently as possible, before things go south.

Every company has and uses technology (IT) constantly. Most companies today wouldn’t be able to function without IT.  But, when times are good, costs related to IT (and other business functions) may not be closely monitored because sales and revenue can cure many ills.  However, it’s best to ensure your IT house is in order before the times get tough and budgets get tight.

Start by asking questions

An analysis of your current IT spend at a detailed level, may be as exciting as watching paint dry, but it’s crucial when dollars tighten. IT cost analysis can also be difficult. Even knowing which items to include when analyzing your IT spend can be confusing. I’ve found that it’s easiest to start by asking questions…

  1. What are my costs for internet, phones, software subscriptions, IT support, computers, etc.?
  2. What hardware needs to be replaced soon? How much will it cost to replace?
  3. What costs can be reduced or eliminated?
  4. What costs are a bare minimum to keep the lights on?
  5. When was the last time I evaluated all my contracts related to technology and what are the terms? Being locked into an expensive 5-year contract at the beginning of a downturn is no fun.

Good news...

We can help! At Fluid, we help companies analyze their IT costs almost daily. So, we already know where most of the IT costs are found, where the skeletons are buried, what is reasonable, and what is outrageous.  As a provider of outsourced IT services for small to medium businesses, we have to know these costs because we’re responsible for managing them in order to be a good steward with our clients’ hard-earned money spent on IT.

We also take it one step further by using a more proactive and strategic approach to IT. We will hope for the best, but also help you plan for the worst by discussing current and future business needs, goals and “what if” scenarios. Once we have this information, we can provide guidance on ways to cut IT costs and suggest solutions that will generate revenue, and specifically align with each clients’ business plan.

Don’t be afraid to say you don’t know and bring in experts to help you understand your costs.  It will reap rewards now and help you sleep better when economic conditions do change.  Feel free to call Fluid IT, we love this stuff!  Our main objective is to help people with their businesses and see IT in action!

Ho, Ho, Ho No! I've been hacked!!

With the holidays upon us, it's not only the kids getting excited.  Hackers also love the holidays and the gift of giving takes on a whole new meaning.  Increasing malicious activity during the holiday spending spree is no coincidence.  Don't be a victim!  Take some tips from this blog by IBM SecurityIntelligence to be more diligent.  Hacky Holidays?

Cybersecurity - "You can't handle the truth!"

I’m a guy who likes sports and movies, and my wife tells me that I’m constantly quoting sports analogies and movie tag lines. Guilty as charged.  So, why do I do that???  Because I can quickly state a movie quote or sports reference to explain a situation to someone, without having to spend an hour doing so. If I tell someone “you just fumbled”, knowing this person likes or understands American football, he or she will immediately know they made a mistake.  Notice how I stated ‘American football’ lest I confuse it with the round ball version and defeat the very purpose of my analogy.

ManYelling

The problem is, if I use my linguistic mojo on people who don’t follow sports or movies (yes, those people do exist), I not only don’t get my point across, I confuse them.  Many times, I get that tilt-of-the-head puppy look and then a nod, never asking me to clarify what I meant.  It’s surprising how many people never ask the question – I don’t understand, what do you mean?

This can be very frustrating and even a cause for escalating arguments and disagreement later.

To clarify, here’s an example of a recent conversation when discussing a company project…

Me: “We’re at the one-yard line!  It’s time to punch it across the goal line!” Colleague: “Got it!  You can count on me!”

A week later…

Me: “So that project was completed, right?” Colleague: “No, I’m still working on it.  I need to add some more detail." Me: “What!  I thought I told you and we agreed this needed to be done asap!? Like yesterday.” Colleague: “Oh, I’m sorry.  You didn’t tell me it was urgent.” Me: “I did tell you it was urgent.  Remember ‘the one-yard line’, ‘the goal line’?” Colleague: “Yeah I kind of recall something like that.” Me: “Then why didn’t you get it done??” Colleague: “Why are you yelling at me?  I have no idea what you meant.” Me: “Why didn’t you ask?

And the downward spiral continues.  The frustration level for everyone is extreme.  Worse yet, the project was not completed, and the company suffers.

I see this same scenario over and over again as it relates to technology and business – especially with cybersecurity.

Get serious about cybersecurity SecurityGuard

Articles are published every day stating how businesses aren’t taking cybersecurity seriously enough only to be completely ignored.

I constantly come across articles that give real statistics showing how businesses think they are secure, yet they have recently been breached or compromised!  How is that possible?  Why do businesses, led by extremely smart people, continue to ignore the very real threat that cybersecurity breaches and hackers can easily compromise their business’ livelihood?  Why do they continue to have incidents, and not learn from them?

Some studies show, many business owners rely on their insurance policy to save them instead of protecting their assets proactively.  I believe some of that is true, but I believe the real issue is a complete disconnect in communication.

The danger of miscommunication

MiscommunicationThere is a very real and dangerous disconnect in communication between business and IT!

I read an article recently that was trying to get businesses to understand the importance of cybersecurity and the importance of communication between IT and business.  Here is how the article begins…

 

ArguingDigital transformation is happening rapidly in every industry. As companies move toward software-defined infrastructures (SDI) connected to powerful cloud ecosystems, they can tap into the near-real-time intelligence from the data gathered from every edge of their business, helping to drive faster business decisions and changing the way they serve their customers.

Rapid transformation, however, without a solid plan, can produce cybersecurity vulnerabilities. As infrastructures go virtual, security models need to shift. To avoid serious risks and security management issues, companies need to identify challenges, strategize, collaborate, pilot, test, and evangelize. *

 

Did you have to read it twice?  Did you understand even part of it?  What exactly is ‘every edge of their business’?

“Trust me, Greg, when you start having little Fockers running around, you'll feel the need for this type of security.” Meet the Parents, 2000

Yes, I did it, I used a movie line from the great film “Meet the Parents” to make my point.  If you haven’t seen the movie, you have no clue what I’m talking about.  Business leaders have not seen the cybersecurity movie!!  They don’t understand a word coming out of your mouth (another movie reference).

Don’t allow technology to get lost in translation

LostTranslation

In all seriousness, business leaders have not taken the time and do not have the time to learn all the parlance of cybersecurity.  Yet, we keep pummeling them to death with cyber techno-speak.

The reality is, both business and technology leaders have a responsibility to their companies, their employees, and themselves to learn enough about each other to make the conversation relevant.  I can keep showing business owners all statistics. But, most of them still don’t properly plan for or budget for cybersecurity, and most will only do so after they’re hit with ransomware or have a breach.  But what is ransomware?  What is a breach?  What do they look like? What is the actual cost to the business now and in the future?

This is not a one-sided issue. IT professionals also need to learn how to translate technology jargon into terms that business owners can understand.

The same case can be made for IT experts making an effort to understand the language of business and understand the impact they are having.  When business owners and leadership speak in terms of EBITDA, CAPEX, OPEX, Life Time Value, Gross Margins, Net Margins, Cash Management, etc., they are speaking a language immediately understood within the group, but many times foreign to the IT group.

At some point, business owners, leadership, and even board members must work with IT experts to start taking cybersecurity more seriously.  Both parties must be willing to have an open dialog where each is not afraid to ask questions, educate and translate into terms each party can understand, to make better business decisions.

If you want to have a discussion regarding your business and how the cybersecurity landscape impacts your company now and in the future in a language you can understand, contact us! We will be happy to advise and educate you in this increasingly complex space.

May the force be with you!

 

* AT&T Cybersecurity Insights Vol 7

Are You Prepared for a Cyberwar?

We make it our business to protect yours. Former white hat hacker Joshua Petty will be presenting the unexpected sources of security threats and how to defend yourself. In light of the recent global ransomware attacks, this information could prove invaluable. We think you should be there.

Fortinet is the largest security appliance vendor, and when partnered with Fluid IT Services you know that your information is protected. The topics over lunch will cover simple ways to harden your infrastructure, how to manage your security with minimal effort, and arming your staff to become more security conscious.

Space is limited, so register today to secure your place at the table. We look forward to your participation.

Tuesday, June 6, 2017 @12pm

Maggiano's Little Italy 6001 West Park Blvd.

What you can expect:
  • Security insights from the experts
  • Fine Italian dining
  • GOPRO giveaway with all the accessories to get you started

Register Now

Security Breaches: The Kiss of Death for Small Business

For romantics, a kiss signifies love, affection, or respect. Unless you receive the kiss of death, which signifies that your days are numbered. For small business, a cyber-security breach is the dreaded kiss of death. security metrics 2.0Here are some stats that’ll start your heart from recent studies from Property Casualty 360 and Small Business Trends:

- 62% of cyber-attacks are focused on small to medium businesses - Only 14% of these businesses rating their ability to mitigate an attack as highly effective - Average cost of a breach for a small business, including damage or theft of assets and disruption of normal operations is slightly over $1.8M - 60% of small companies will go out of business within six months after an attack

While it may be surprising that 60% of SMBs attacked will be out of business, once you understand the typical cost of a successful attack, it’s far less surprising.

So do small business owners just give up in the face of these threats? Nah, that’s not the way entrepreneurs roll. Most small businesses can outsource the mitigation of this risk for less than $1K per month, offloading both the risk and the time that it takes to manage a security solution. For a small business, this can be the difference between life or death, much like an insurance policy.

In the world today, it’s no longer a matter of IF your company will be hit by a cyber-attack, it is a matter of WHEN. The question that you should ask yourself is, “Do I have almost 2 million dollars to handle it retroactively, or does it make more sense to spend $1,000 per month to proactively protect my livelihood and my customers?”

For a frank discussion on cyber-security and ways to mitigate these risk, reach out to Fluid. We can help.

[gravityform id="1" title="true" description="true"]

Don't let bureaucracy slow down your cyber security program

Fluid Security FrameworkBusinesses don’t have the time, budget or skills to adequately cover and mitigate all the very real security risks that could take them out of business at any time.  Nor do companies want to hire full time staff just to manage security. In a new global report from the Center for Strategic and International Studies along with Intel Security, the importance of senior leadership supporting cyber security implementation is made crystal clear. Here's a great summary of the report from Help Net Security: Attackers thrive in a fluid market, while bureaucracy constrains defenders.

Fluid handles this by providing a comprehensive layered approach to security for the entire organization, creating a security fabric to cover it all – Security-as-a-Service.

It’s not a matter of if but when you will have a security incident.  Be prepared.  Be proactive. Be responsive.  Be responsible.  If you would like to learn more about Fluid’s Security-as-a-Service offering, please contact us.

 

IT Security Framework for Accounting Firms

The AICPA released two sets of criteria for public comment this week (Sept 2016) regarding cyber security. Both focus on different elements, but the common theme is the AICPA trying to develop a common framework for audit firms to evaluate the cyber security of their clients (risks and compliance). While this will prove to be very helpful, it got us thinking at Fluid: Do CPA firms themselves have a framework for their own security? Are CPA firms adequately protected from data breaches of their client’s financial information? Are accounting firms prepared to react to and recover from a malicious threat that may cause data loss or temporarily impact the productivity of the team?

Data security is a pressing issue for CPA firms given the rising level of attacks and the sensitive financial data accountants work with. A few data points –

  • Over ½ a billion personal records were stolen in 2015
  • Phishing campaigns targeting employees rose 55% in 2015
  • Ransomware increased by 35% in 2015 (362K reported cases)
  • 1 in 220 emails sent contain malware (431M new malware variants found)

While developing your own cyber security framework may seem daunting given the rapidly shifting threats, the task at hand can be greatly simplified if you break it down into the components parts (and work with professionals). At Fluid, we support our clients in 4 primary areas that each firm must address to have a comprehensive security plan.

1) Compliance Management:Fluid Security Framework

Does your firm understand all levels of compliance required given the data your firm interacts with? This can range from data retention compliance standards to data-center configuration standards. Often great compliance management starts with proper documentation, but rely on staff training and monthly monitoring to ensure/validate compliance.

2) Perimeter Management:

Think of your IT perimeter like the physical perimeter of a secure building. Are all entries and exits secured and guarded? Firewalls, cloud services, and email are major vulnerability points that should be managed and monitored for security purposes. BYOD and the proliferation of mobile devices has extended this perimeter, but these additional problem have solutions if they are approached systematically.

3) Vulnerability Monitoring and Threat Response:

You may know your weaknesses today, but that will change tomorrow; you need to monitor for attacks and have an active response if any attacks are detected. Much of this can be automated, but some expert oversight can make sure you don’t have any unintended gaps.

4) Cloud Backup and Disaster Recovery:

Even the best-run IT Departments may run into an occasional problem, ranging from accidental data loss to a malicious breach. We’ve found from our experience with clients that having a robust, offsite backup in a secure cloud environment can minimize the impact of most problems and greatly improve recovery times.

 

Whether you know it or not, your firm has ongoing IT activities in each of these 4 areas, which require ongoing focus and continual improvement – security is never ‘one and done’.

If you want to review your security practices, give us a call. We can help.

DNC That Coming! Email Security for Your Business

I was sitting down to write a blog on security, focused on some of the latest data published regarding how IT security impacts small to medium businesses and before I could begin I was lobbed a softball by the Democratic National Convention – a leak (breach) of Democratic Party emails last weekend allegedly conducted, or at least backed, by Russia.

So what happened?

“On Sunday, Hillary Clinton’s campaign manager, Robby Mook, accused Russia of working through hackers to access 19,000 emails at the Democratic National Committee that were dumped into the public domain last Friday by WikiLeaks. The emails showed DNC staffers working to help Clinton’s campaign during her primary fight against Bernie Sanders, despite the DNC’s publicly neutral stance,”*

Why is it important?

We’re an IT Services and IT Security Company, so we’ll try to leave politics aside for this blog. In that spirit, what can we learn from an IT perspective from the leak?

 

Email isn’t just communication, its valuable personal and corporate data

Sometimes we separate email from other corporate data, but that’s a mistake. In a typical company email system, hackers could potentially find information on corporate strategy, personally identifying information, financial information, IT system passwords, and other information that could help in further attacks through phishing, etc. Our email isn’t just communication, it’s data that needs to be protected.

While these hackers weren’t looking for credit card numbers in the DNC email, they did learn (and expose) a lot of information about strategy, tactics, and plans that were certainly not intended for the public. In the 19,000 emails, how much personally identifiable information (PII) was present? PII in security speak, within the thousands of emails there could be the need for risk mitigation and damage control, not to mention the potential for law suits and other fines.

 

Not all email is secure, use encrypted email for sensitive information

Many people still “trust” email as a secure communication method and willingly share private information such as credit card numbers, social security numbers, healthcare information to name a few. In the hands of the wrong people that can be very dangerous and costly many people. Email is not secure by default and must be encrypted prior to sending to have proper security for sharing any private information. If you’ve ever received an email from your doctor or financial institution that sends you to a website to login to read your email, that is a secure, encrypted email.

 

Security experts are giving you plenty of warning. The time to listen is now.

Security experts have been beating the drum for a while now – cyber attacks are growing at an alarming rate and frequently the target is shifting to small businesses. Another troubling aspect of this breach is that “Federal investigators tried to warn the Democratic National Committee about a potential intrusion in their computer network months before the party moved to try to fix the problem, U.S. officials briefed on the probe tell CNN.” If true, and the FBI warned the DNC and they did not act, it creates a massive problem for the DNC leadership and their credibility. Action in fact was swift as the DNC Chairwoman, Debbie Wasserman Schultz, announced her resignation on Sunday. Further evidence showed “The DNC brought in consultants from the private security firm CrowdStrike in April. And by the time suspected Russian hackers were kicked out of the DNC network in June, the hackers had been inside for about a year.”**

A year! That is a long time to be gathering data and suggests more is likely to be leaked. In fact, WikiLeaks founder Julian Assange virtually has already stated as much. All those emails, all that data is still out on the public domain where anyone with access to the internet can see them.

Federal Investigators may not be calling you with warnings about your small business, Security experts have been beating the drum for a while now – cyber attacks are growing at an alarming rate and frequently the target is shifting to small businesses. It’s time to listen to the experts and take basic steps to protect your company.

 

Borders don’t protect your company in cyber attacks

It’s being reported that these attacks came from Russia. Borders can’t protect us from the rest of the world when it comes to cyber attacks. Prosecution and restitution for damages caused by an attack is not going to happen. As an example, once funds are extorted into a foreign country through ransomware, consider it gone with no recourse.

For your business, the foreign nature of attacks is alarming due to the lack of accountability and prosecution, for the DNC breach, the motivation and ability to influence our country’s political process is very alarming.

It’s been stated that the intent was to expose DNC members that used email to sway people to one candidate over the other, something that fundamentally against the DNC charter. Was this done to just embarrass the DNC or was it a wider sweeping intent to impact our actual Presidential election process in November? If it was in fact Russia, did they do this to make the DNC look unscrupulous in hopes to sway voters to the other Party? The repercussions are HUGE – potentially impacting the outcome of who will be our next President!

Protect yourself!

Some simple steps could have avoided this disaster or at least mitigated it. Just a few things to consider as you run your business –

  1. Robust IT security monitoring and management to proactively detect malicious attacks
  2. Defined governance process and procedures to define what is and is not acceptable
  3. Employee training programs on what to look for, what to NOT put in email
  4. A defined Security Response Procedure to act quickly and decidedly if attacked
  5. Take any warnings seriously and address them now

If you can’t check each one of these off your list, call us and we’ll make sure you can. And don’t be surprised when a new wave of hacked emails is made public.

 

*https://www.yahoo.com/news/chris-van-hollen-russian-dnc-000000889.html

**http://www.cnn.com/2016/07/25/politics/democratic-convention-dnc-emails-russia/index.html

5 Data Security Tips for Accounting Firms

cloud securityFrom working hand-in-hand with our CPA firm, Accounting services, and Bookkeeping clients over the years, we know a thing or two about data security and how best to protect your firm from data losses or data breaches.  In today’s world, accounting firms must do everything they can to protect their client’s sensitive financial information.  We’ve pulled together a few best practices for you to keep in mind.  

1) Assess your current data protection and security levels

If you never measure your security performance, you never know if your network and data are secure or not.  That is, until you learn from a breach or malicious virus that you had poor security after all.  We recommend an outside firm provide an annual security assessment and review.  You may not have the time or budget to implement all suggestions, but at least you will know your weaknesses and you can develop a plan to improve over time.

 

2) Physical security, Information Systems Policies

Your network can be bullet proof to hackers and your data encrypted, but if your team isn’t trained or your office isn’t physically secure, your data is still at risk.

  • Ensure the physical security of your office with card keys, visitor logs and badges, and proper locks on doors leading to all critical infrastructure.
  • Use cable locks to ensure laptops, desktops, tablets, and any other critical devices are locked to desks.
  • Policies for each employee
    • Clean desk (no sensitive information left on desks, whiteboards or print stations)
    • Password policies that define the proper construction and maintenance of passwords
    • Acceptable use for utilizing company data and technical assets
    • Mobile device policies to help employees understand the risks associated with mobile devices
  • Keep users informed and accountable
    • Training classes are great vehicle for delivering written policies and procedures
    • Weekly (or even monthly) information security newsletters can help remind users of the importance of information security, as well as provide updates on the latest trends and threats.

 

3) Secure technology solutions

This is the sweet spot.  We feel you need to start from the outside and work toward each user device to implement proper security.

  • Are your cloud vendors PCI compliant? It’s a great standard that can generally be trusted.
  • Follow best practices when setting up office infrastructure
    • Place a business grade firewall at the front of the network that is supported and continually updated
    • Ensure WiFi networks use strong passwords and encryption protocols. Keep guest networks separate from internal networks.
    • A business-grade Anti-virus solution for all PCs
    • Standard email defense software
  • Do you know what compliance regulations your business or your customer’s business requires you to have?

 

4) Automated backup and disaster recovery

What if you are hacked or a malicious virus infects your system?  If major financial institutions or fortune 500 companies have some vulnerability, you probably will to (even if you follow some of these tips).

Can you recreate lost data or data held hostage by a malicious virus?  Do you conduct a periodic test of your data backups to confirm their validity?  Do you have multiple layers of backup – local, onsite, offsite?

A good, up-to-date backup or disaster recovery solution can be your “get out of jail (almost) free” card if you run into a problem.

 

5) Address your BYOD policy and it’s security implications

The use of personal devices on a company network to handle client data is always one of your largest security concerns.  If you allow company data on personal devices, there are some steps you can take to limit the security vulnerabilities this may cause.  Here are a couple of ideas:

  • Have a policy in place that states when it is acceptable to use personal devices for work purposes. If it is acceptable, provide guidelines to help employees understand the risks of using personal devices for business purposes.
  • Have a mobile device management (MDM) solution deployed to help manage all company data on personal devices.

 

The cost of proper security, if done proactively, will generally be much cheaper than the cost of a data breach or work stoppage from an IT problem.  Your firm can work on some of the solutions on your own.  A proactive IT partner like Fluid IT Services can help you with the rest.  Give us a call and we’ll help you out!

Why the Management Team Is Your First Line of Defense Against Data Security Threats – Part 3

How to Create an Incident Response PlanWhat would your managers do if hackers attacked your business? What would they do if your system got a virus? Or an employee’s computer caught some nasty malware? An incident response plan is critical for your business’s information security. And your management team has a great responsibility in creating and triggering that plan.

Your Incident Response Plan

A clear-cut, well-rehearsed incident response plan can be the difference between hours of downtime and days of downtime.

When everyone knows their role and the actions required of them during an incident, your team can work together to get the company back on track.

Step 1: Identify the team

Who is responsible for responding to information security incidents? “Your IT team” is not an acceptable answer.

Gather individual IT staff names and contact information, and detail each person’s responsibilities. Also note contact information for service providers and appropriate law enforcement.

Many incident response decisions are business-driven and not technical, so also include the names, contact info and responsibilities of the appropriate business-management personnel. If, for example, the business experiences a Crypto virus attack, the business leaders (guided by the IT team) will ultimately decide if they will pay the ransom or restore the data from backups. Know who your decision-makers are and include them in your incident response plan.

Step 2: Create your documentation

Create three levels of documentation.

  1. A high-level document that outlines the policies
  2. A detailed document that covers the implementation of the incident response plan
  3. A technical document that the IT team can use as a guideline. This includes quick-response guides for common scenario

All three of these sets of documents should include the team contact information from Step 1.

Step 3: Define the triggers

When will the incident response plan be triggered?

  • When a network intrusion is detected?
  • When a system is acting strangely?
  • When an employee suspects their computer might have malware?

Define potential risks, threats and points of failure here. Then ensure your managers share this information with every employee!

Stress Testing

Once your backup solution is in place, ensure it is tested regularly. Backups are useless if they are not usable.

Run simulations to develop and maintain “muscle memory.” This will also help keep data security at the top of everyone’s mind.

Is Your Company Prepared?

Your managers and your IT team need to work together to make sure your whole company is as secure as possible. If you have any concerns at all about your data security, don’t hesitate to contact us here at Fluid IT Services.

Why the Management Team Is Your First Line of Defense Against Data Security Threats – Part 2

Training Your Team in Information SecurityIn part 1 of this series, I talked about how managers should work with the IT team to set up strong anti-virus solutions for your offices. And in my recent post about hacker-proofing your businesses, I outlined how employees play critical roles in information security.

But here’s an important point, and something that – once again – managers must be responsible for:

Employees must be taught how to defend the business against hackers.

Cultivating a Security-Minded Culture

Information security starts at the top. For any security solution to succeed, it needs to have the support of those in leadership positions.

First, gather your management team and your IT staff and create an information security governance plan. Write detailed policies and procedures that not only keep the environment clean and operational, but also serve as a point of reference should employees have questions. This will also help hold staff accountable.

Second, empower your management team to create training programs for employees. An organization that teaches its staff what they can do to prevent a compromise will be less susceptible to hackers and loss of data.

Information Security Training Basics

Your IT team should not be the only people focused on protecting your company’s data. Managers should learn and then teach the following basic protocols:

  • Do not access personal email within a production environment
  • Do not open email attachments from unknown or untrusted recipients
  • Avoid installing unauthorized software in the production environment. If in doubt, talk to management and/or IT personnel
  • Be suspicious of others asking for sensitive information

For more detailed information on these topics, read our Hacker-Proofing series: Dangerous Applications and Content, and Social Engineering.

Open Up the Lines of Communication

Make sure your managers have open lines of communication with IT and with employees.

According to a Verizon study of data breaches, more than 80% of breaches happened because Wi-Fi systems were not protected with passwords. This may seem like the most basic thing your IT team can do to protect your network – and your management team probably feels the same. Encourage your managers to question things when it comes to your information security! It’s better safe than sorry.

Other things managers may want to get a handle on:

  • Data encryption. Is sensitive employee and client data — such as social security numbers and credit card accounts — encrypted?
  • Physical security. Are the offices protected by security alarms or motion detectors? Is hardware locked down?
  • Data storage. How much customer data is your business actually storing? How often is it purged?

What to Do When You’ve Been Hacked

If you think your company data has been compromised, or your system has a virus or malware, contact your IT team immediately.

Part 3 of this series will go into detail about an incident response plan.

Why the Management Team Is Your First Line of Defense Against Data Security Threats – Part 1

Managers: Defenders of Data Computer viruses and malware can be devastating for businesses. Recent Crypto virus attacks left businesses down for days, and cost them in both downtime and ransom money.

And we’ve all seen the news reports about businesses that lost confidential customer data to hackers.

Keeping your company’s data out of the hands of hackers is a cat-and-mouse game. New viruses and malware are created continuously.

Your management team is the first line of defense.

Define Your Defense

Though the IT department and each employee have responsibilities when it comes to defending your business against hackers, a defense solution is still necessary.

Empower your managers to work with your IT staff to create a definitive solution to viruses and malware.

This solution should include a service that can monitor for threats in real time. This will enable you to catch malicious data before it enters your production environment.

Remember, though, that just because you have an anti-virus program installed doesn’t mean that you’re protected against other forms of malware. Some programs only scan for viruses, and malware can sneak through. Have your IT team review your anti-virus system thoroughly and determine if you need a more robust program to protect your business.

Keep your anti-virus/anti-malware programs up to date. These programs are only as good as their current definitions. Communicate to your managers that they must drive this point home with employees. Delaying updates can be as easy as clicking a button on the screen – so assert the importance of updates and make sure management cascades the information.

Beyond Anti-Virus Software

It’s not enough to just cover the obvious entry points of your business’s network. There are multiple points of entry for malicious agents — so ensure your organization is protected node to node.

This includes a good firewall that receives regular updates. This will scan traffic for viruses before it enters your office environment.

A good firewall will help keep hackers from getting access to your system in the first place. It will monitor your network traffic and prevent hackers from compromising business systems.

Once again, this is a place where managers and IT staff should work together to determine exactly what firewalls are needed for the office. Managers will have a much better idea of overall day-to-day business operations – and thus possible vulnerabilities – than either the IT department or individual employees.

Managers: Defenders of Data

Your management team is your first line of defense when it comes to protecting your business’s data. Ensure they have an open dialogue with your IT team so your information security remains tight.

Don’t have an IT team that really knows your business and is comfortable working with your management team? Let’s talk!

Hacker-Proof Your Business: Social Engineering

Hacker-Proof Your Business: Social EngineeringNever heard of social engineering? Well, the hacker trying to get at your business’s data sure has. TechTarget defines social engineering as:

A non-technical method of intrusion hackers use that relies heavily on human interaction and often involves tricking people into breaking normal security procedures. It is one of the greatest threats that organizations today encounter.

As I pointed out in part 1 of our Hacker-Proof series, hackers are actually pretty smart. They not only know how to code, but they know how to trick users into falling for scams.

But hackers don’t always use technology to break into your system. Sometimes they simply use conversation.

Hazards in Your Inbox

Be wary of emails from unknown recipients — especially those that ask probing questions about your organization or someone’s role within the company.

Some scammers will attempt to appear as a vendor trying to glean information. The particular information they are gathering compromises your system and gives them what they need to break in. These people are usually very good at what they do. Their conversation will be polite and seemingly legitimate.

Your personal email isn’t off-limits to this type of behavior, either. Recruiters are notorious for blowing up our inboxes these days, and social engineers know this! It doesn’t take a genius to impersonate a recruiter – and remember, hackers are smart.

Though this is more of a phishing scam than a social engineering attack, it’s worth noting here because too many people still fall for it: the fake “your password needs to be reset” email. Beware of these emails from scam artists!

I got this email the other day that looks VERY official, and if I wasn’t paying attention I might even click on it.

card security procedures

But there were a few things that tipped me off right away.

  1. There is an attachment. Always a red flag!
  2. It asks me to download and save the attachment. Major red flag!
  3. It tells me to open the attachment. Obviously, this is how the virus is activated.

I hovered over the “from” address and it showed the sender as Americanexpress@aecom.com. I knew “aecom” was probably not an AmEx address – and a Yahoo search confirmed it.

yahoo confirms it

Dangers Lurk Outside Your Inbox, Too

Social engineering isn’t limited to emails. Hackers also use social media, phone calls and even in-person visits to your company site. However they can pull you into a conversation most easily.

Some examples we’ve seen are false on-site technicians, fake LinkedIn and Facebook groups, and phone calls from bogus financial institutions.

How to Protect Yourself

The first thing you can do to protect yourself from a social engineering hack is to be skeptical. Never give out confidential information – or even seemingly non-confidential company information – without verifying the identity of the requestor first.

The second thing you can do is to be aware of common tricks. For example, no legitimate financial institution will ask for your social security number or system password over the phone. If someone you don’t know asks you for that information, it’s a red flag.

I am going to assume that you’re using strong passwords on all your systems, and you’re updating them frequently. (Ahem.) If you feel like you might have been the victim of a social engineering hack, change your passwords. Then let your IT staff know about the situation immediately so they can minimize the damage.

Don’t have an IT team that can come to the rescue in the case of an information security threat? Let’s talk!

Hacker-Proof Your Business: Dangerous Apps and Content

Hacker-Proof Your Business: Dangerous Apps and ContentThe best offense is a good defense – but good judgement is your best friend when it comes to your information security. Many businesses feel like information security rests solely in the hands of their IT team. And while knowledgeable IT staff are important to hacker-proofing your business, your own employees play critical roles as well.

Here are two things you and your employees can do to keep your business safe from hackers.

Avoid Unauthorized Applications

Often businesses end up with computer viruses and malware because they installed them. Sad, but true.

Hackers are – in general – pretty smart. Malicious, but smart. They can trick people who might never fall for a scam offline. The best hackers know more than code. They also know what makes Internet users tick, and they can create scams that the smartest users fall for.

When it comes to apps, if it’s not needed for you to do your job, don’t download it. It’s not worth the risk.

Even if you’ve installed that application before, be careful. Hackers often create bogus versions of popular software and repackage it to include malicious code. Make absolutely sure the source you’re downloading the (business-critical!) app from is the real deal.

You put yourself and your business at risk when you download from unauthorized or unofficial sources, or peer-to-peer networks.

When in doubt, consult with your IT staff.

This applies to add-ons, plugins and extensions as well.

Beware of Browsing to Questionable Websites

Make smart choices about the websites you visit. Browsing to questionable website is another easy way to compromise your system.

Aside from being against the code of conduct for many companies, sites that advertise adult content or free downloads of any type are often dangerous to your data security. They frequently contain misleading links that install harmful software.

The site doesn’t have to have adult content to be a security risk. Many seemingly harmless websites host malicious code. Some sites even execute downloads just by visiting them – no user input or clicks required.

Rule of thumb: If it looks odd, it’s best to leave it alone.

When in doubt, you can check the validity of web addresses (URLs) with a WHOIS search. A popular site for this is DNSstuff.com.

Your Internet browser matters in this equation, too. Make sure it is up to date to ensure it is using the latest technology to identify and filter out phishing sites.

Antivirus Software Will Only Protect You So Much

Common sense is your first line of defense against hackers. But everyone makes mistakes.

If any software begins to install itself, close it out immediately. Then run a security software scan and alert your IT department pronto.

It is critical that you ensure your antivirus software is always up to date. Many infections happen because people don’t allow their antivirus programs to apply updates.

Forward this post on to your teammates so everyone can get on the same page when it comes to apps and web content.

Don’t have an IT team that can come to the rescue in the case of an information security threat? Let’s talk!