Why isn’t cybersecurity considered a top priority for a majority of small businesses?

A 2015 National Small Business Association survey revealed that cybersecurity doesn’t even rank among the top 5 most significant challenges. Yet small and medium-sized businesses (SMBs) represented 60% of all targeted cyber-attacks last year. And according to the National Cyber Security Alliance, 60% of small businesses close their doors permanently within 6 months of a data breach.


md-cyber-day
Maryland Cyber Day

October 5, 2016
The National Cybersecurity Center of Excellence
Rockville, MD
Presented by: CAMIStartup MD, and the CRTC

With these industry partners: the National Cybersecurity Center of Excellence (NCCoE), MD Department of Commerce, and Montgomery County Economic Development Corporation

Maryland Cyber Day is an activity-filled day highlighting and celebrating Maryland’s cybersecurity innovators and connecting them with two vital tools for growth and success – investment capital and customers – from Maryland and beyond. Connect online and in-person with an audience that has been specifically curated to meet your business’ needs – companies and government entities that are on the look-out to purchase, partner with and/or acquire today’s most cutting-edge cybersecurity technologies.

Maryland Cyber Day will include the Pitch Across Maryland Bus Tour and our signature event – the Cyber Solutions Marketplace – and wrap up with CAMI’s Birthday Bash. Buy your ticket today, and don’t miss this opportunity for your company to be recognized as one of Maryland’s leading cybersecurity assets.

Register for Maryland Cyber Day Now!


cybermaryland
CyberMaryland Conference

October 20-21, 2016
The Baltimore Hilton Hotel
Baltimore, MD

The CyberMaryland Conference is an annual two-day event designed to  showcase Maryland’s leadership in the cybersecurity industry, provide sharing and networking opportunities within the cybersecurity community, and facilitate the development of cyber assets. This year’s theme is “Leading the Cyber Generation,” and the event will include the CyberMaryland Conference, an induction ceremony into the National Cyber Security Hall of Fame, the Maryland Cyber Job Fair, and the Cyber Maryland Industry Showcase.

Register for the CyberMaryland Conference Now!

 

drive_encryptionWhy use it –

Do you use computers in your organization to work with, process and store sensitive data that if stolen or disclosed could potentially result in damages to an employee, client, student or patient?

If the computers your organization uses have the ability to store information locally including sensitive information, installing disk encryption designed to protect and safeguard that information is a good business practice.

In some cases it is potentially required by State or Federal laws and may be necessary to meet certain industry standards. Listed below are some examples.

Social security numbers, student transcripts, financial aid information and individual’s health records are federally protected under laws like the Health Insurance Portability and Accountability Act (HIPAA) and Family Educational Rights and Privacy Act (FERPA). While encryption is not mandated under HIPAA it is an “addressable implementation specification”. Specific State privacy laws and institutional policies may impose more stringent requirements than FERPA.

The financial industry has encryption and data guidelines established in legislation such as the Dodd-Frank Act.  

Cardholder/credit card data is required to be handled and secured in accordance with the Payment Card Industry Data Security Standards (PCI DSS).

Who should use it –

If your organization is a financial institution or your organization’s computers are used to work with health care data, student transcripts, financial aid information or cardholder/credit card data and this information can be saved locally, you should seriously consider assessing your risks and possible liabilities to determine if encrypting your data is a prudent or necessary safeguard.

To give you a simple example, if you work with protected health information and it is saved on an unencrypted hard drive a laptop computer that is lost or stolen, you will be in violation of the HIPAA security rule in which case you must report the security incident to the proper Federal authorities.  You may be subject to fines and penalties as well as other mitigation remedies and required corrective actions. If the laptop hard drive was encrypted with appropriate full disk encryption software then there may be no need to report the security incident or incur fines and penalties since you had adequate safeguards in place to protect and safeguard the sensitive information.

Ultimately it is up to your organization’s management, their assessment of risk and due diligence review of the laws and regulations under which your organization operates on whether or not the data and information your organization’s computers access and work with should be encrypted. In most cases it is best to err on the side of caution and use full disk encryption to safeguard data and information.

Options for implementing encryption –

There are a number of tools available in the marketplace that implements disk encryption. You should be aware that they vary in features and security. A proper assessment of your risks and applicable laws and regulations will assist you in determining the most appropriate solution.

Disk encryption solutions basically fall into two categories: software-based and hardware-based within the storage device. Hardware-based disk encryption within the storage device are called self-encrypting drives (SED).

Examples of some software-based encryption applications would include BitLocker for Windows (Microsoft), Endpoint Full Disk Encryption (Check Point), Endpoint Encryption (Symantec) and VeraCrypt (CodePlex). There are a number of software solutions on the market so a due diligence review of your needs and product capability is a necessity.

SED drives are available from many hard drive vendors including Seagate Technology, Hitachi, Western Digital, Toshiba and from solid-state drive vendors such as OCZ, SanDisk, Samsung and Micron. SED drives do have several advantages over a software based solution. First, since the encryption is done within the storage device itself, there is little to no impact on the performance of your computer or your applications. Second, since the media encryption key never leaves the storage device it is not susceptible to viruses and malware that may impact the computer’s operating system or your applications.

If you would like some guidance or assistance with assessing your needs or disk encryption options please contact us.

information_technology_securityMany people and businesses think their systems and information are protected, but are they really?

In today’s connected environment you need to routinely assess the security risks to your network systems, computers, users and the information stored on your systems to ensure you have sufficient safeguards in place.

Let’s discuss some of the basic safeguards your business should have in place to protect your technology resources, users and information.


Firewalls

Firewalls are designed to protect your network systems and computers by monitoring and controlling inbound and outbound traffic based on predefined rules. They come in a variety forms (appliances, software, etc) and different capabilities. Some firewalls provide content/internet filtering capability designed to restrict or control the content a user is authorized to access. The rules configured on a firewall are generally adjusted to reflect business operation requirements and a business’ philosophy on acceptable content.  Since intrusion and attacks methods are constantly changing you need to make sure you are routinely reviewing and updating your firewall settings, firmware and software.  Failure to regularly review and update this first line of defense could expose your technology resources, users and information to attack or intruders and create an unsolicited security incident that could be damaging to your business and its reputation.

Anti-virus software

Anti-virus software sometimes known as anti-malware software, is computer software designed to prevent, detect and remove malicious software.  Current anti-virus software can protect computers from such things as: trojan horses, worms, adware, spyware, backdoors and browser hijackers.  Some more advanced software and other third party products can detect and remediate ransomware, rootkits and malicious browser helper objects.  Since malicious software and its method of delivery seem to change daily you need to make sure your anti-virus software is constantly being updated to ensure your systems, computers and users are adequately safeguarded.  Failure to constantly update this line of defense could adversely affect your business operations, impact users’ efficiency and productivity and/or unknowingly disclose sensitive information from your systems.   Unsolicited security incidents such as these can be costly to your business.  Locked or deleted information can be difficult to restore or costly to reproduce.  The disclosure of sensitive information can have numerous ramifications ranging from the time and costs involved with analyzing how the disclosure happened and what information was disclosed to possible credit monitoring costs for anyone impacted by the disclosure and costs related to legal representation.

Security Patching

 A security patch is a change applied to a technology asset, albeit hardware or software, to remediate an identified vulnerability or security weakness.  A patch of this type is issued by the hardware or software vendor to prevent the successful exploitation of an identified vulnerability and to remove or mitigate the specific weakness.  Since security patches can be released by hardware and software vendors at any time it is imperative that these be tested and applied as soon as possible after release since once a vulnerability or security weakness is identified hackers attempt to exploit those vulnerabilities to gain access to effected technology resources.  

Human factor

First and foremost, information technology security is everyone’s responsibility.  This includes anyone that has access to your technology resources and information.   It should include not only employees, but contractors, vendors, consultants and cloud providers of services.   Your business should have a written acceptable use policy that clearly defines acceptable and unacceptable use of your technology resources.  It should address areas like password requirements, prohibiting the installation of unauthorized software, accessing personal email, occasional personal use, locking or logging off a computer before leaving an area or leaving for the evening, accessing or using cloud storage services, etc.  It should be routinely reviewed and updated no less then annually.  The policy should be provided to and personally acknowledged by all users of your information technology resources.   An enforcement and sanctions provision should be a part of your policy so users are informed of the ramifications for non-compliance. All users should be routinely educated on the code of conduct they are to follow while using your business’ technology resources.  There should be a designated point of contact for security related questions and the reporting of all security related incidents.  All users of your technology resources should be educated on the process for reporting security incidents however trivial the incident may appear.

The longer you wait to assess your information technology security position and address weaknesses, the more likely it is to become a problem.  If you would like some guidance or assistance with assessing your information technology security position, please contact us.

The Department of Homeland Security just released a memo detailing a serious flaw in what was considered, at that point, the latest version of Symantec’s End Point Protection security suite. This was just a few short months after Symantec released their latest version.

Software are often released with unknown security flaws contained in their code. These “holes” generally go unnoticed to even the software manufacturer until a hacker or a security company examines it a lot more closely and often times discovers a vulnerability that can be exploited. It is at that point that the software manufacturer releases a “patch” or even a version upgrade that fixes the issue and on it goes with patches and upgrades. It is a never ending process but the very best way to ensure good IT security is to be vigilant in your upgrade process.

The upgrade process does take constant attention and not just to your anti-virus / anti-malware software. There are updates to every day software and add-ons such as web browser components (Java, Flash), Microsoft Office, Adobe products and of course the very important Microsoft security updates for your operating system.

The constant barrage of updates and the endless ways that the Internet bad guys gain access to your systems and information makes it a very daunting task to keep everything up-to-date and secure.

You should invest in a strategy or compliment of solutions to lighten this burden and to keep your system safe:

Patch management system-This is a software system that has an administrative console installed on your network server. From this console, you can view and adjust settings on all of your network workstations. This patch management system is designed to monitor all of your computers for software updates, download the updates to a central repository and “push” them out to the computers on a regular basis. This ensures that all of your computers are up-to-date with security updates to all of your employees’ installed software and eliminates the need to constantly be in touch with each software vendor for their latest versions or patches.

Content filtering system– This type of system monitors your employees’ Internet access and can block unwanted sites that you deem inappropriate for office use and / or not conducive to productivity. The less places that your employees can stray on the Internet, the less likely they will come across a website with malicious code or join a site that will deliver problematic spam email.

Spam filtering system– Whether it is installed as a software or hardware solution, filtering out phishing emails and spam emails with malicious attachments or links is very important to the health of your system. Spam email is the number one way that viruses and malware reach your employees’ computers.

Business-class Internet firewall– The importance of this piece of hardware cannot be downplayed. A lot of clients opt for a less-costly and sometimes a retail model and rarely apply updates to their device. A business-class unit will have more attention paid to it by the manufacturer than a unit from a local tech store and will regularly submit security updates to address recent vulnerability trends of flaws on their devices. A lot of these higher-end units also have the ability to do some of the services mentioned above such as content or spam filtering.

Having secure remote access is not convenient. To provide secure remote access, you must have a multi-faceted system in place with at least a two-level authentication method to allow users into your network and avoid giving access to unwanted users.

If you think about your network like a home, consider there are windows and doors in your home that allow you and others to enter and leave. You put locks on the openings in your home to control who enters and keep unwanted visitors from entering. Security on your network is based on that same simple principal. There are vulnerabilities in computer networks that must be “locked down” to control who has access to them. We find that many business owners are not aware of the vulnerabilities they may have in their network and computer systems because they don’t know enough about remote access or what their “doors and windows” are.

“In today’s environment, teenagers are able to hack into your computer system.”

Security and secure systems should be a deterrent for random people to hack into your network and computer systems. The more secure and inconvenient it is for someone to hack into your system, the more likely they will move on to the next system that is easier to get into.

Here are basic best practices for implementing secure remote access to your network and computer systems.

Remote User “Requirements”

  • Use Business-Owned Devices – Remote workers using company-owned computer and mobile devices so you can dictate security policy on that computer is a major requirement. At no point should they be using their own computer, installing their own applications on it, or using it for personal reasons. As a business-owned computer, you have the right and ability to monitor the security and configuration of that unit. If it’s someone’s personal computer, you don’t have the right to do that.
  • Encrypted Devices – All remote access computers and phones should be encrypted. Users must enter a password to enter the device. If the device gets lost, it should be configured so that it is automatically rendered useless.
  • No Public WiFi – Remote users should use their own phone hotspot or MiFi devices to connect to the Internet. Users should not be using public WiFi. Your IT manager can configure these devices to ensure these hotspot applications are set up. Remote users should not use hotel or restaurant WiFi as these may not be secure.
  • Encrypted Connections – Some level of security software should be in use (Virtual Private Network – VPN, or other) to ensure that the physical connection from remote to host is secure.
  • Avoid Using Freeware or Shareware Solutions for Remote Access – Remote users should not use free versions of Team Viewer, VNC Viewer, etc. Opt instead to use the purchased versions of these applications, if necessary, and ensure your IT manager has control over how they are configured.

Best Practices for Business Owners

  • Ensure you have remote access to this computer to apply security updates to it on a regular basis.
  • Ensure that utilities set up so that you may remotely monitor these devices to ensure they are being used according to company IT security policies.
  • If you’re concerned about employee productivity, software can be installed on the devices to track employee productivity.
  • If you’re concerned about employees accessing social media, personal email, or other sites from company-owned devices, software can be installed that can filter content when remote users browse the Internet restricting their access to these areas.

Remote access is one component of your overall IT computing environment. Kenneally Technology Services can review your remote access capabilities to see what improvements are needed to ensure your systems and data remain secure. An IT security assessment will help you ensure your networks vulnerabilities are eliminated and “open doors” are locked down.

<< previous posts || next posts >>