Written By: Sara Cardoza
As technology continues to expand and become more complex (and the more it begins to connect all our critical data) the need for compliance and regulation will continue to expand right along with It — and as it should! Compliance is meant to be an ally… but without proper management it can quickly become the enemy. While many see compliance as more red tape, the truth is failure to comply with regulations can lead to expensive fees and fines. Managed Solution can help boost your compliance and help your business get closer to you compliance goal.
In the IT world, compliance management around governance, risk and compliance is the process of ensuring a company or organization consistently complies with federal and state laws, industry requirements, vendor best practices, cyber insurance policies as well as post-breach protocol when it comes to their technology and data management.
In many ways when someone says “compliance,” what they really mean is documentation… and lots of it. Compliance is a big, complex collection of paperwork and data of all kinds, and compliance management is making sure all of that is organized, and more importantly, up to industry standard.
Because the world of compliance is so complex (and continues to evolve) it’s critical to make sure your organization has its T’s crossed and I’s dotted. Like it or not, there’s a cost to compliance. BUT, research has shown it’s much more expensive not to follow the mandated industry regulations… in fact, up to 2.71 times more costly. The bottom line: compliance can be a headache, but implementing a consistent, effective solution saves money.
The good news is you don’t have to try to tackle compliance alone. That’s where Compliance Manager and Managed Solution comes into play. Compliance Manager is a cloud-based solution that automates the data gathering and reporting required to order to meet the necessary internal and external auditor expectations.
It’s a one-stop shop for:
Compliance Manager is a robust tool that reduces risk by simplifying and streamlining your IT security documentation. And more than that, it makes sure everyone on your team is onboard and has one, easy-to-use platform to store, access and manage their part of the process.
Here are some of the key features:
A tool alone is not enough to reach compliance. Let Managed Solution’s compliance team help your business through the lengthy process. Our compliance team will ensure progress and work hand in hand with you to integrate Compliance Manager into your existing ecosystem.
Interested in learning more? Schedule a call today and learn how Managed Solution can help boost your compliance and help your business get closer to you compliance goal. Not ready for a direct call? We are hosting a webinar on July 28th, click here to register. Attendees will receive a FREE 30 minute consultation with our vCIO to see if our Compliance as a Service tool can work for you!
There are many advantages of outsourcing your IT services; some may seem obvious, while others may surprise you. We conducted a survey of our customers and asked why they chose to outsource their IT services, here are the most common answers to that question.
Far and away, the top answer was reduction of costs. One of the most significant benefits you may see when partnering with a qualified MSP is reduced costs for IT hardware (volume discounts) software and employee costs. Working closely with your Managed Service Provider can help you lower operational costs, minimize capital budget for technology expenses, and reduce overall IT spend.
Workplaces and hours are more flexible than ever before. Which means companies choosing to build out an internal help desk are now scrambling to offer 24/7 support for the business and many are realizing that this is an expensive proposition. A MSP is available after hours, weekends, and even holidays to provide real-time support whenever you need it.
A huge benefit of outsourcing your IT is that you are partnered with an entire team of professionals that bring a broad depth of knowledge across industries, at a flat monthly rate. The reality is that no one person can keep up with all the changes happening in technology today, and it’s often not in the best interest of a business, non-profit, or health provider to remain “status quo”. When you partner with a qualified MSP, you receive a team of IT professionals, project managers, cloud experts, help desk professionals, and virtual CIOs that that bring best of breed solutions to help your company remain competitive.
Cyber security is not a “set it and forget it” function anymore. In today’s world of increasing ransomware and cyber-crime, all companies need to be looking at MSPs that bring security solutions to the forefront of the conversation. Many MSPs offer the most current cyber products in the market, including training your staff, email, and network monitoring, and even leveraging software that uses artificial intelligence to detect potential issues before they become a problem.
As your business grows and changes, your IT needs grow, change, and evolve, and you will need to scale your IT systems up or down to accommodate those needs. IT demands can be changed in real-time to meet your unique business needs weather you’re on premise or in the cloud. Your MSP should monitor your needs and provide suggestions to scale up or down based on your hardware usage to ensure that your user experience is maximized while costs are kept low.
Many MSPs can provide detail customized reporting about your ticket resolution times and utilization of their services. Also, the ability to log into a dashboard that can show you the health of your IT systems, both on premise and in the cloud.
Overall any size company can receive enormous benefits when working with a Managed Service Provider. A company, that does not have an IT department can retain a Managed Service Provider to act as an outsourced IT staff that keeps the computers and the network running, makes sure that software upgrades and patches are done, provides cyber security services to minimize the risk of hacks or ransomware, and makes recommendations about timing to replace aging internal servers and networking equipment. Or provide consulting if moving everything to a cloud environment makes more sense for greater accessibility and flexibility.
Mid-size and large companies, that have an IT Manager, or some IT staff often outsource pieces of their IT functions to avoid hiring and training additional IT engineers and avoid the added expense of company-paid benefits or the risk of turnover that is prevalent today.
When there is an internal IT team, the MSP staff often takes care of the “day-to-day” issues, such as helping users when they are forgetting passwords, supporting users with access to applications and data, or assisting with network issues. Many large companies hire an MSP to manage cyber security software and provide “tier 3” technical support beyond the capabilities of internal junior-level IT staff.
Now if you’ve read this far and are thinking, “I could really use the services of a Managed Service Provider,” here are some things to consider...
Once you understand the range of services you need, look for a Managed Service Provider with the experience and expertise to provide reliable IT solutions for those services. Many small to mid-size Managed Service Providers across the United States specialize in specific products and specific industries. Do your plans include moving to the cloud, look for a Managed Service Provider with cloud experience. Or, if you have a particular software integral to your business, consider a MSP that understands and supports that software. Struggling with compliance requirements, make sure the MSP has the tools and ability to support your organization through this complex process.
A Managed Service Provider with the right expertise can become a partner in your business’s growth, management, and health.
Every MSP has a range of services that they provide to take care of your IT and cloud needs. Those can include onsite IT resources, remote technical support and network monitoring. Along with cyber security software products, cloud hosting and management, even virtual CIO services. Determine the services you need and partner with a Managed Service Provider that comprehensively addresses your unique needs.
It is critical to work with a MSP that operates in protected environments to ensure the safety of your data. Find out what security products are available and if they’re offering the most comprehensive solutions to keep your data safe.
If you’re in a cloud environment here are some items to consider:
Firstly make sure to discuss your needs and requirements when it comes to response times. Dig into the support structure to make sure they have an adequate number of employees to support your organization. What type of customer service does the Managed Service Provider provide? Customer service should be apparent at every stage of their operation, from the sales team to the technical support. A MSP is an essential part of your tech team, ensure you are working with a helpful service-minded provider. Most MSPs monitor client satisfaction, ask to see those scores to find out how their clients experience the service received.
If you have offices in multiple cities or states, find a MSP that can support all locations. However many MSPs work only regionally, while others have the resources to provide services nationally or internationally.
Turning over your IT services to an MSP is a big decision that involves a great deal of trust. Make the right decision, and you sleep well at night. Make the wrong decision, and your business will suffer.
Understandably trust is earned over time, so be sure to ask your MSP for the following:
Your business is unique, when considering moving to the cloud, you want a MSP that will create a custom environment. Therefore choose a Managed Service Provider that will customize its services and solutions to help optimize your business.
Since cost is a consideration in business decisions compare the cost of the services to the cost of hiring internally. Typically, a company cannot hire the expertise and resources available at the cost a Managed Service Provider charges. Work with the Managed Service Provider to help them understand your budget and choose services that meet your IT requirements. To stay competitive in today’s market, reduce costs and keep your data secure, consider partnering with a MSP.
Interested in learning more about our help desk? Click here.
By Bryan Timm
Azure Active Directory (AD) is an Identity and Access Management (IAM) system. It provides one place to store multiple digital identities. You can also configure your software applications to use Azure AD as the place where user information is stored.
Azure Active Directory is the latest evolution in Microsoft’s constantly evolving product line for identity and management services. Now, they have extended their identity and management services to the cloud. The ability to manage multiple on-premises infrastructure components and systems using a single identity per user is a feature that was introduced in 2000. It was introduced as part of Active Directory Domain Services in Windows. Organizations can still utilize on-premise Active Directory in conjunction with Azure Active Directory.
Azure AD must be configured to integrate with an application. In other words, it needs to know what apps are using it for identities. Making Azure AD aware of these apps, and how it should handle them, is known as application management. A centralized identity system provides a single place to store user information that can then be used by all applications.
Azure AD takes this approach to the next level by providing organizations with an Identity as a Service (IDaaS) solution for all their apps across cloud and on-premises. This allows you to simplify your user experience with only one sign-on experience.
Why is Azure AD important, and how can it help your business? With a single IAM system in place, organizations can leverage one sign-on platform for thousands of applications. This would allow your users to start focusing on their jobs and less about logins and passwords, and executive can be rest assured that only the right people are accessing the right information.
Multi-factor authentication (MFA) allows you to take the protection of your users to the next level. It adds a layer of security to each account. Even if a malicious third party is able to obtain a user’s password; they won’t be able to take any action with it, if multi-factor authentication is set up.
Multi-factor authentication is one form of protecting your user accounts from malicious access. It is a process where a user is prompted during their login for additional form of identification. This could be one of a few things, including a code from your cellphone or a fingerprint scan.
When is the last time you received an email that was spoofed to look like another companies login page, such as an Office 365 login? Malicious parties gain access to your account after you have unintentionally entered your credentials into their faux website. If you only use a password to authenticate a user, it leaves an insecure vector for attack.
This is not the only way that a breach can occur. Many times, accounts are compromised by utilizing the same password across multiple accounts. For example, using the same password at a retail website that had its database breached and not having some secondary form of authentication leaves your company accounts exposed.
Azure AD Multi-Factor Authentication works by requiring two or more of the following authentication methods:
As an administrator, you can define what forms of secondary authentication can be used. You can also allow your users to register for self-service password resets; in the event that your administrator isn’t available for an immediate password reset. Azure AD Multi-Factor Authentication can also be required when users perform a self-service password reset to further secure that process.
Azure AD Multi-Factor Authentication is all about simplicity for the user. Your data and applications are safeguarded by Microsoft, while allowing for a smooth user experience utilizing the password they are used to and their cell phone, or other forms of secondary authentication. Users may or may not be challenged for MFA based on configuration decisions that an administrator makes.
Azure AD Multi-Factor Authentication does not require any changes to work with existing Microsoft application and services. The verification prompts are part of the Azure AD sign-in event, which automatically requests and processes the MFA challenge when required.
Ensure a smooth user experience by configuring Conditional Access. Conditional Access is the tool used by Azure Active Directory to enforce your organizational policies. This is the soul of the new identity driven control plane.
At its simplest, Conditional Access is just if-then statements. If a user wants to do ABC, then they must do XYZ. A common scenario for this if a user wants to log in outside of the office, then they must pass multi-factor authentication.
Administrators are faced with two primary goals:
Keep your user base safe, while configuring the right controls to minimize their time spent on the phone with IT.
Azure Active Directory also allows for single sign-on for thousands of applications already integrated with it. Accelerate adoption of your application in the enterprise by supporting single sign-on and user provisioning, and enrich your application by connecting to user data with Microsoft Graph.
You can use Azure AD as your identity system for just about any app. Many apps are already pre-configured and can be set up with minimal effort. These pre-configured apps are published in the Azure AD App Gallery.
You can manually configure most apps for single sign-on if they aren't already in the gallery. Azure AD provides several SSO options. Some of the most popular are SAML-based SSO and OIDC-based SSO.
There are currently over three thousand applications that have existing integrations with Azure Active Directory services. You can find a directory of those applications on Microsoft’s website.
By Dustin Gray
A few months ago, Mimecast released "The State of Email Security 2020," this year's version of their yearly breakdown of email security. It had the same central finding as it did last year, and the year before, and every year going back for as long as it, or any other yearly cybersecurity report has: Year after year, email continues to be the largest and most exploited attack vector for organizations of any size, across nearly all industries and geographies. It has been for all of recent memory, and will be for the foreseeable future. That seems crazy, though; how could we have known about this for so long and not addressed it? With how widely email is used, and how prolific security services, appliances, and suites are, you would think someone, somewhere would have figured this out. You wouldn't be far from the mark (for the most part), but the story gets interesting quickly.
Over the next three blogs I'm going to take a dive into what it is about an email that makes it such a convenient target for cybercriminals, why securing it seems so convoluted, the current trends in email-borne security threats, and what promises new email hosting and security offerings hold for email. I'm going to start this blog with a background into an email, and introduce some of the concepts that are central to the conversation about email security.
Our story starts in the late 1970s when the Protocol Wars had been raging for over a decade. Engineers were battling over what systems would be used when communications were standardized, each fighting through the compromises it takes to make systems work together. Of the myriad messaging protocols, SMTP was emerging as the clear dominant standard for sending emails. SMTP is a robust and elegant protocol and would end up being the driving engine of email communications through to the modern era. Throughout the 1980s and into the 1990s, however, a considerable flaw in how SMTP handles the sending of email was waiting to wreak havoc on everyone's inbox.
You see, SMTP allows any computer to send email as any source domain or address; there is no built-in method to authenticate the sending server to ensure that it is actually associated with the domain or organization it is claiming to be from. During the 70s and 80s that was a relatively unnoticed side note. By the late 1990s, however, people had figured it out and spammers began abusing it to flood people with unwanted advertisements and emails. Did that email really come from @bankofamerica.com? This type of abuse (sending email from a domain you do not own) is called "spoofing." As 2000 came, spoofing was starting to be used more widely to gain trust with companies and compromise employee credentials and files. With SMTP spread too far to switch to anything else, and no built-in server authentication, engineers had to find an external way to prove what servers belonged with what domain, and stop the spoofing.
By the year 2000, spoofing was beginning to become a serious concern for businesses, and standards were coalescing around a DNS-based authentication method that would allow organizations to verify ownership of both their mail servers and domain. By 2004 the name "Sender Policy Framework" (almost always just "SPF") was settled on, and in 2006 it was published as an RFC (a standards document used by the internet at large).
SPF works on the idea that in order to make DNS changes to a public domain (like managedsolution.com) I have to first own that domain. If I own that domain, I can create a text list of servers allowed to send email from it, and publish it as a DNS 'text' record. Then, any server that receives email as my domain can check my text SPF record and make sure it's really from one of my servers; and just like that spam was defeated!
Except, as we all know, spam was very much not defeated. SPF requires knowledge of email infrastructure and DNS, and many organizations did not have the ability/knowledge to implement it. Additionally, SPF only protects the envelope of an email, and cunning cybercriminals are still able to "spoof" the sending address in the emails’ encoded headers. Additionally, a mistake in an SPF record can cause legitimate email to become undeliverable, which can cause huge headaches for any organization.
Independent groups began keeping public "blacklists" of senders who failed to secure their domains and were then used to send spam, which encouraged SPF adoption for many email administrators. As adoption grew, engineers were also tackling the problem of spoofed headers.
In 2004, competing efforts from Cisco and Yahoo to address header spoofing resulted in the creation of DomainKeys Identified Mail (almost always "DKIM"). DKIM works by having email-sending organizations encrypt outbound emails' headers, then provide a cryptographic key in their DNS that allows receiving organizations to decrypt them. Since only the sending organization can encrypt the emails for that key, it proves to the receiving organization that the email is actually from who it says. Additionally, since the emails' headers are encrypted while they are being sent, it proves that the emails were not intercepted or altered.
If that sounds more complicated than SPF, that's because it is. In addition to DNS and email infrastructure, DKIM requires an understanding of public-key encryption and the ability to implement key signing in your email organization. In the end, it suffers from the same thing SPF does: Because it is hard to understand and often complex to implement, it has had slow adoption.
There was another problem altogether, as well. SPF and DKIM aren't designed to work together, and there was no central protocol or policy in place to hold them together or provide centralized controls for how an organization’s messages would be treated if they passed one check, but not the other.
In 2012, specifications for a new protocol that would link SPF and DKIM together, again via DNS, were announced. "Domain-based Message Authentication, Reporting and Conformance" (almost always "DMARC") allowed organizations to centrally set policy that was tailored for their environments. Finally, DNS authentication for emails covered envelope and header spoofing and had a centralized way to manage it.
DMARC, however, again ran into issues with complexity. Effectively using it required organizations to understand SPF and DKIM, then add another level of policy understanding for DMARC. Predictably, it has also had adoption issues.
If we were to universally adopt SPF/DKIM/DMARC as an email-sending community, the avenues for nearly all spoofing and spam would be closed. However, as we've found several times, we aren't a perfect community and not everyone has the capacity and wherewithal to implement those security protocols. Even if we all did, there are email-born threats like malware and Business Email Compromise tactics that don't require domain spoofing at all. That's where spam filters and email security providers come in.
In this imperfect world of email security, these vendors use a combination of heuristic scanning, malware scanning, blacklist checking, and DNS checking to see if a message is legitimate or malicious. Many now include AI in their offerings that can add behavioral analysis and conversation continuity, but at their core, they are attempting to both cover for the lack of universal SPF/DKIM/DMARC adoption, and prevent/mitigate non-spoofing-based attacks.
Mimecast’s “The State of Email Security 2020” report that I brought up earlier puts it pretty starkly when it shows that while 97% of IT decision-makers are aware of DMARC, only 28% have implemented it. That’s for a security mechanism that largely relies on community engagement.
The most effective weapons we have against email-born threats are action and education. By now you should have some idea of why email is hard to secure, the ways in which we attempt to secure it, and why you should do so. If you are interested in starting that journey now, talk with your IT provider or see some of the resources I’ve linked to below.
My next blog will cover common attacks and trends in email security. We’ll be diving more into “The State of Email Security 2020,” so I’m including a link to where you can download that. We’ll be looking at what these attacks are and what can be done to respond to them. Finally, I’ll be finishing the series out in a third installment with a look at some contemporary email services and how they are streamlining security.
Stay tuned next week for Part 2!
ResourcesThe SPF Project (please note that this site is insecure)
DKIM.org (please note that this site is insecure)
DMARC.org
Author: Arthur Marquis
Learn how to protect yourself against hackers by understanding what hacking is and the types of threats out there.
What is hacking? Merrian-Webster defines hacking as “to gain illegal access to (a computer network, system, etc.)". While Malwarebytes does a terrific write up on hacking stating, “Hacking refers to activities that seek to compromise digital devices, such as computers, smartphones, tablets, and even entire networks."
In this article, we will cover the different types of hackers, social engineering, the types of threats out there, and how you and your organization can stay protected.
A White-Hat hacker tends to be either freelance or hired by a large company to assess security flaws and deliver reports on what those flaws are. Additionally, they'll share how to protect your organization from them. Essentially, white-hat hackers are the good kind of hacker that helps you to improve your security posture.
Black-Hat hackers are criminals that gain unauthorized access to computers and systems to either destroy data or compromise data in hopes of a payday. Or as Alfred said in The Dark Knight, “Some men want to watch the world burn.”
Grey-Hat hackers occupy a more complex middle ground. Some hack into a corporate environment without permission to gain sensitive information without leaking it to the public. Then, they turn around and offer security services almost with a blackmail-feel to the whole transaction.
A long time ago (in a galaxy far, far away) hacking had an old wise Grandpa. His name was Phreaking. Phreaking is when someone uses telephone lines illegally. You could go down to Radio Shack, spend about $5-10 and make yourself a device called a box. They had all kinds of boxes: Black, Rainbow, Green, Blue, etc. These boxes would allow you to do all kinds of things from a payphone pretending to be an operator.
For instance, a black box would trick a telephone system into connecting a call and have it think it was never answered; thus free phone call! A green box was probably the most prevalent. It would generate tones you would play on the payphone to fake the system into thinking you put money in; resulting in again, free phone calls. This, obviously, is not pertinent anymore but a fun little tidbit on how hacking REALLY started.
Once computers started becoming more affordable and you found them in millions of homes, phones and the internet became connected. Remember AOL?
That's when hacking really gained momentum. Before the internet, there were bulletin board systems. These systems were a specific phone number you could dial (way before IP addressing) that would give you access to a companies’ network. For legitimate purposes, this would give you access to company news, downloads, etc.
Another term that goes hand in hand with hacking, is social engineering. Social engineering is the act of compromising people. A terrific example I have is from when I worked at a financial organization. This bank would assess the security hardening of its people. With a simple phone number spoof and a person’s name, I could pretend to be calling from their IT department. I did so and was met with Kathy (not her real name).
I identified myself as Mike from IT and stated that I needed to check on some data because we were having problems with the system.
Kathy then proceeded to answer all my questions without hesitation. These questions included:
Now it would be easy to blame Kathy here, but she is not to blame. The lack of employee training is the problem here as human beings are often the first and last line of defense between hackers and valuable data. Kathy thought she was doing the right thing and simply wanted to help her IT department do their job. Had she had the training to know that their IT department 1) would never call from an outside line, 2) require those types of inquiries to a manager, or 3) would have communicated sensitive information using encrypted email, this would have never happened.
Another example is when trying to gain access to a system. A hacker could do something as simple as drop some USBs with malicious code on them to run right when plugged in would work. If someone were to find that USB and curiosity got the best of them, they could plug it in, and that's where the trouble starts.
Social engineering is one of the easier ways to gain access to a system, and one I usually start with when contracted to help an organization with their security. I worked with a client whose CFO received an email requesting employees' social security numbers. The CFO believed it to be from another executive within the company. She delivered all employees' social security numbers to a social engineer. Not a good day for her or her company.
There are ways to train your staff to avoid these failures.
Click here to read about more tips for awareness training.
So, what kind of threats are out there? A LOT. You just read about social engineering. In addition to social engineering, you have:
Viruses come in all flavors. You have trojans (aka file infectors) which, aptly named, hide malicious code inside a normal looking program. Sometimes this program continues to function as intended while the bad code is stealing keystrokes. This gives access to the system remotely.
Browser hijacking viruses are the big ones for most users. These viruses are pretty easily detected and pretty much put you on a different webpage than you were intending to go.
Boot Sector viruses used to be more prevalent than they are now, but much like everything in history, I would bet on a comeback. These viruses hide in email attachments, or a random USB drive (see social engineering above). Either way, a malicious code is delivered to a computer.
I'm sure you've read or seen about hacking in the news at some point. Target brand was a major news story when they were hacked, and some of their transactional data was stolen: think credit cards, purchases, and all kinds of personal information. A real eye-opener for me was when CNN reported on the Soviet hacks. They used a photo from a famous video game (look!). This shows me how little people are aware of the risks when using a computer, phone, or tablet.
So how do we protect ourselves in this crazy world? Well, that is not so easy to answer, but there is some ways we can protect ourselves. The impact of social engineering can be lessened, or even completely negated, through employee training.
Data Encryption hacks can be completely negated by having comprehensive backups and trained staff and or vendors to recover data without paying these hackers.
Having a trained IT staff is HUGE. A real benefit to having a managed service provider is having all that experience as YOUR IT department. That is twofold, you can avoid most hacks, and if you are hacked you have qualified individuals to help you recover quickly.
In this article, we'll discuss what spyware is, the common types of spyware, and how you can protect yourself, your employees and your data from spyware.
Spyware is a malicious piece of software that continuously monitors your computer's activity and internet use. Its purpose is to gather information, often referred to as traffic data, which can include keystrokes, screenshots, websites visited, or various types of personal or sensitive information. The data can be used in a wide variety of ways, including selling it to interested entities or for identity theft, in some cases. Knowing these common types of spyware and how to detect them is very important.
A system can get infected with spyware, pretty much the same way as it does with other types of malware, including Trojans, viruses, worms, etc. They can either take advantage of various security vulnerabilities such as when the user clicks on an unfamiliar link in an email, or just visiting a malicious website. Users can willingly download them if they are advertised as all sorts of useful tools or as freeware (free software.)
With phishing attempts getting savvier by the day, it's critical that your employees are well educated on how they can prevent and detect phishing attacks. We've seen companies with threat protection in place still get fooled by various phishing attempts as they're getting harder to spot these days. Many are coming disguised as people you know and correspond with regularly. Just recently, a CEO of a company fell victim to a phishing attempt and they had to sell out hundreds of thousands of dollars to get their data back. Humans are the first and last line of defense, so it's critical to educate employees on how to prevent this from happening.
The best way to detect this type of software is to have an up-to-date firewall, anti-malware, or antivirus software installed on your device. These will alert you in case there is any suspicious activity or any other kinds of security threats on your PC.
Nevertheless, other telltale signs may indicate that one or more pieces of spyware software have made it into your system. These rarely operate alone on your computer, meaning that your device will have multiple infections. In this case, users will at times notice a degradation in the system's performance such as a high CPU activity, disk usage, or inexplicable network traffic.
Various programs and applications may experience regular crashes or freezing, a failure to start, or even a problem in connecting to the internet. Some types of spyware can also disable your firewall and antivirus, alongside other browser security settings, resulting in a much higher risk of future infection. If you encounter any of these issues, the chances are that spyware or other forms of malware-infected your system.
Usually, the functionality of any given spyware depends on the intentions of its creator. Here are four examples of the most common types of spyware.
Keyloggers - Also known as system monitors, keyloggers are designed to record your computer's activity, including keystrokes, search history, email activity, chat room communications, websites accessed, system credentials, etc. More sophisticated examples can also collect documents going through printers.
Password Stealers - As their name would suggest, these types of spyware will collect any passwords inserted into an infected device. These may include things like system login credentials or other such critical passwords.
Infostealers - When a PC or other device is infected with this type of spyware, it can provide third parties with sensitive information such as passwords, usernames, email addresses, log files, browser history, system information, spreadsheets, documents, media files, etc. Infostealers usually take advantage of browser security vulnerabilities to collect personal data and other sensitive information.
Banking Trojans - Like info stealers, banking trojans take advantage of browser security vulnerabilities to acquire credentials from financial institutions, modify transaction content or web pages, or insert additional transactions, among other things. Banks, online financial portals, brokerages, digital wallets, and all sorts of other financial institutions can fall prey to these banking trojans.
The digital environment comes with its inherent risks, as is the case with these spyware or other forms of malware. Fortunately, however, various people and tools can help you, and your company stays protected from these online threats.
Attacks have increased by 58%. Email is where you need to be protected. More cyber criminals are going after company's users to get what they need because users are vulnerable, especially now working from home. Right now is harvest time for cyber criminals and we need to be alert. The key word here is awareness.
Open your toolbox and implement what you already have. Many clients are already paying for tools like threat protection and email encryption (which is especially great for financial and healthcare institutions). And personally, my favorite multi-factor authentication (MFA). These are very powerful tools and can add an extra layer of security. Advanced Threat Protection allows for better protection against scamming and phishing. MFA you can turn this on for all users and every time you login, it will prompt you to give you a code to your cell phone via text or an app. Without that authentication, the user can't log in. With email encryption, it allows you to protect sensitive data (think HIPAA for healthcare).
User awareness is the best thing. Let's bring the user awareness back in house by investing in training our employees. Cyber criminals are investing their time and efforts to find vulnerabilities, and we should do the same to protect ourselves.
Never, never, ever respond to an email that prompts for a password. Look for grammatical errors. Some of these things are obvious but look carefully at the emails. Just yesterday I got an email from the CEO of a company, who rarely emails me, so things like that might be a red flag. Another tip is to not read or go through your emails if you're in a hurry. Your vulnerability goes up when this happens. I had a client who was in a big hurry to order gifts around the holidays for her employees. Because she was rushing she clicked on what appeared to be an amazing deal from Walmart, only to find out later that it was a phishing attempt -- that cost $15,000.
Watch the interview with Feli:
Learn more about staying protected by reading our Password Protection 101 article.
In this post, we’ll provide an all-encompassing run down of data security and data privacy, why it’s important, real-world examples, and key tips for your organization to keep your data secure and private.
Data security and data privacy are strongly interconnected but not the same. Knowing the differences is important to better understanding how they work, and what they each mean to your business.
With GDPR over a year old, and the California Consumer Privacy now in effect, it’s now more important than ever for organizations to make sure they understand what these two things are, why they matter and how to address them in their day to day business operations.
It’s especially important for industries with strict compliance laws such as healthcare, legal services, finance, and biotech, however, it does apply to anyone collecting data. It also should be noted that this doesn't just apply to the IT or Compliance department, but really the entire organization from marketing and sales to customer service.
Data privacy is a part of data security and is related to the proper handling of data - how you collect it, how you use it, and maintaining compliance.
Data security is about access and protecting data from unauthorized users through different forms of encryption, key management, and authentication.
With all the legalities now in place protecting consumer’s privacy and data, it’s critical that your business understands the implications of not understanding nor addressing these two items. Now that we’ve covered what they actually are, let’s dive into what it means for you.
As a business, it is your responsibility to keep your data secure and as a result, that also means protecting your employees’, customers’, partners’, and any other contacts’ data safe and secure. Without proper measures in place for this, there are a variety of scenarios that can happen:
1. If you don’t have proper security measures in place such as Multi-Factor Authentication, Multi-Device Management, Identity Management, your business could be at risk for a breach. Aside from employees, your data is your most critical asset. If it becomes compromised, the business will suffer dramatically and may even cease to exist.
2. Without proper measures in place to keep your employee or customer data private, you could be in violation of a variety of regulations. For example, healthcare companies must abide by HIPPA and not share sensitive patient information. This personal information should also not be sold or redistributed without consent. In doing so, you could be 1) violating the law and 2) end up with disgruntled customers who end up leaving you for a competitor. Either way, it has a significant impact on your revenue between fines and loss of customers. Not to mention the reputation you will form that could have lasting effects.
With the EU’s General Data Protection Regulation (GDPR) now in place, businesses need to protect the “personal data and privacy of EU citizens for transactions that occur within the EU.” Now, even though this might seem like something similar to the US, there is a significant difference concerning how the EU and US look at identification information.
While under GDPR compliance, companies need to use the same level of data security for both stored personally identifiable information such as social security numbers, as well as cookies. And even though the GDPR applies to the EU, it also applies to anyone that has dealings within the EU.
To learn more about GDPR, here is a checklist we created to make sure your organization is protecting your data.
The California Consumer Privacy Act (CCPA) took effect in January of 2020. The reasoning behind this bill was to protect the privacy and data of consumers. Essentially, it gives people the right to determine how their data is stored and shared.
With this law in place, and other states starting to follow, it’s critical for businesses in California to understand the legal ramifications and how to abide by the new law. This new law “creates new consumer rights relating to the access to, deletion of, and sharing of personal information that is collected by businesses” meaning California residents have the right to:
The CCPA applies to the following businesses (must meet only one of the following):
While this may not apply to you now, there are other states and even discussions at the federal level where data privacy rights will be more commonplace. Data isn’t going anywhere, in fact, it’s only growing, so regardless if you fall into today’s thresholds, it can’t hurt to start thinking about it for the future.
Here are a few more tips for being CCPA compliant.
In January 2019, Google was fine $57M under the new GDPR law. This shows that even the biggest companies are still struggling with what this means to them and how to incorporate the right security and compliance measures within their business ecosystems.
The complaint came from a privacy group that accused Google of not properly adjusting their data collection policies with the new GDPR regulations. While the fine may be “immaterial,” it goes to show how much they’re really cracking down on this new law.
3 Tips and Reminders for [Staying Data Secure]
One of the best places to start is making sure you're governing your data and enabling the right individuals to access approved resources, resulting in lowering your security risk. How do you do this? It starts with identity management. Identity management is the security and discipline that enables the right people to access the right resources at the right time for the right reasons. There are many tools that allow for this - our favorite being Azure Active Directory. By implementing Identity Management across your systems and network, you ensure all employee activity and data are monitored and managed in a secure way. For example, so many people are working remotely and still collaborating today - documents are being sent back and forth and shared in a variety of ways. Identity Management allows your employees can do this safely.
Conclusion
In conclusion, while data privacy and data security are certainly interconnected, there are different ways to properly address both.
As a reminder, data security focuses on the technology and tools required to deter cybercriminals from getting their hands on your information such as social security numbers, credit cards, accounts, etc.
Data privacy is complying with local and federal laws within and also outside your industry to ensure the data you’re collecting and the processes behind obtaining and what you do with that data are law-abiding.
Both are incredibly important, so I hope this article helped point you in the right direction.
If you wish to learn more, check out our tips on preparing for the CCPA. If you wish to learn more about how we can help you, learn more about our Compliance Management and Identity Management solutions.
Chat with an expert about your business’s technology needs.
