[featured_image]

By the DynaSis Team

In Greek mythology, Pandora was a woman who accidentally unleashed all the ills of the world because she couldn’t resist opening the box that was holding them captive. For small and medium-sized businesses (SMBs), administrative access at the user level―letting untrained employees have full access to their desktop and potentially the company’s IT systems at the administrative level―is the Pandora’s Box of technology. Making matters worse, many employees don’t even know they have access to the box, so they open it unwittingly.

Here’s how this happens. Windows automatically configures the default user account as an Administrator. A Windows Administrator account is an unrestricted account that can make system-wide changes to the computer with no additional authorization or privileges.

SMBs that install new PCs for their personnel, or allow them to work from any PC or mobile device outside their scope of control, may unknowingly empower these individuals with Administrator access. Administrative accounts provide a direct pathway to root (hidden, low-level operating) settings and other built-in mechanisms for making any system change―not just beneficial ones.

If cyberattackers get access to a PC with an Administrator account, perhaps through a phishing email, infected site or other mechanism, they can then execute scripts, launch exploit kits (malicious toolkits that exploit security holes) and perform other actions at the root level. Many, if not most, actions running at this level will not alert the user, so destructive activities can continue, unchecked, potentially for the life of the PC.

If a device with Administrator privileges is authenticated to connect to the company network, the cyberattackers can easily penetrate the network, as well, potentially taking over the entire network for use as a bot (a form of automated attendant) to spread more phishing messages, stealing data, and infecting other connected devices automatically and decisively.

For every PC on the network, unless a user or an IT pro intentionally sets up a user account without administrative privileges, this can occur. This is a crucial, but often overlooked, step in securing any corporate defenses. Making matters worse, many “IT-aware” (but not IT-trained) business owners and employees have heard that the hidden Administrator account built into the Windows OS is disabled by default due to security concerns. This measure, in place since Windows Vista, was an important, needed change but it does not provide any protection for the default Administrator account at the user level.

Administrator-level users (called superusers in the IT world) are a primary mechanism for infection among SMBs. Given that the rate of targeted attacks against SMBs has more than doubled since 2011, and the ratio of data breaches to company size is 15 times higher for SMBs than for larger firms, the default Administrator account is something every SMB should address as soon as possible. To learn more about cyber security or discuss scheduling a security assessment to determine your level of risk, please give us a call.

[featured_image]

By the DynaSis Team

With the end of 2014 quickly approaching, many small and medium-sized business owners (SMBs) maybe already looking ahead to 2015 projects. However, in early December there is still time to take advantage of SMB incentive programs that confer significant tax advantages.

One of these is the Section 179 deduction. Although it is a mere shadow of its former self (at the present), it is still valid, with a 2014 deduction limit of $25,000 and a purchase limit of $200,000. That amount might not cover the cost of a new warehouse or other large capital facility or equipment purchase, but in the IT world it will stretch a long way.

Basically, all businesses that purchase, finance and/or lease less than $200,000 of new or used business equipment in 2014 should qualify for the Section 179 deduction. Furthermore, most tangible goods, including “off-the-shelf” software, qualify for the deduction, as does the labor to install and configure any purchases.

For example, let’s assume a business with 50 employees has to date purchased $100,000 worth of miscellaneous, covered equipment. Its IT systems are outdated―especially its desktops, which are too old to run current generation software.

The firm could lease 50 $1,500 desktops at a value of $75,000, and then spend another $25,000, outright, on software plus labor for installation and configuration of everything. The entire $25,000 the company expended in cash would be deductible. Or, a firm could lease all the IT improvements, with the cost of software purchases, installation and configuration included in the lease amount, and still deduct $25,000.

There is also a possibility that Congress may still reinstate during 2014 the $500,000 limit for Section 179 deduction purchases that ended in 2013. If this happens, companies should have a plan for purchasing additional equipment and other qualified items they can put into service before year-end.

DynaSis’ virtual CIOs (VCIOs) are IT analysis and planning experts with a wealth of experience helping SMBs plan capital IT expenses that align with and support their short- and long-term business goals. Additionally, our Ascend platform lets a company lease its entire IT infrastructure for a low monthly fee, including full support (proactive monitoring and management and Help Desk) and IT upgrades as needed. To learn more or discuss having an IT assessment to create a baseline for selecting the most cost-effective, productivity-boosting improvements, please give us a call.

[featured_image]

By the DynaSis Team

Another interesting survey came across our desk recently - this one about the use of social and mobile technologies. According to research from UK-based Advanced Business Solutions (ABS), companies* are using social and mobile outlets to increase their customer engagement, but they’re not putting them to full use to power greater business productivity.

According to the research, 85 percent of surveyed organizations use social and mobile technologies for external (customer/client marketing). Additionally, 69 percent use social technologies as response mechanisms for customer and prospect queries, comments, complaints and other communications.

However, only 17 percent of respondent companies are using these technologies to help workers share information and collaborate with one another. We found this interesting, given that approximately two-thirds of respondents stated that social and mobile technologies are valuable for employee collaboration. Nearly the same percentage thought that using them more effectively could improve efficiency.

A 2014 Constant Contact survey of U.S. small and mid-sized businesses (SMBs) appears to correlate these findings, at least regarding mobile technologies. According to the survey, 92% of SMBs either have a mobile-optimized website or are planning to create one in the next six months, and 23% are interested in using mobile advertising. In both cases, the focus is on using mobile technology for external, not internal communications.

It’s important to note that neither survey addresses other forms of productivity for which we view mobile, at least, to be pivotal. Among these is remote working―what we call “mobile officing.” Having access to properly managed mobile devices can give employees the ability to work as safely and productively as if they were at their workplace.  (The ABS survey did recognize the definition of mobile technologies as “creating an always-on work force that can connect and access information at any time and from any place.” That’s essentially how we view it.)

These surveys made us wonder how our customers and other readers are using mobile and social technologies. Are you using either or both to enhance internal collaboration? Are you focusing on externally facing messages and collaboration only? Do you feel you are achieving greater internal or overall workforce productivity with social and mobile technologies?

We’d love to hear your feedback―and talk to you about how you can achieve all these goals easily and affordably. To learn more, please give us a call.

By the DynaSis Team

In early September, we wrote about cyber-attacks and the role that human gullibility plays in them. (If you didn’t read that blog, the answer is “a very, very big one.”) We also offered some suggestions to help business owners protect themselves against vulnerability.

Now, we’ve come across some additional information you might find useful. In this article, we’ll offer not only startling statistics but also some of the keywords that signal danger. First, let’s discuss the statistics.

Over the past decade, the number of spear-phishing attacks (phony emails designed to trick recipients into exposing confidential information) has grown to an alarming number. According to security software developer Symantec, spear phishing campaigns in 2013 rose by 91% over 2012. As of 2013, one in every 392 emails was sent for the purpose of spear phishing.  That may sound like a small number (approximately .025 percent), but consider how many email messages your company sends per day or per year. (The average employee sends or receives approximately 115 emails per day.)

Enterprise employees aren’t the only gullible ones, either. The U.S. Department of Defense has been compromised by unwitting employees responding to spear phishing emails. The massive 2012 Department of Revenue data breach in South Carolina that compromised the private data of 3.8 million taxpayers, 1.9 million dependents, 699,900 businesses and 3.3 million banks started with a spear-phishing email.

Furthermore, the risk of data breaches is exploding. In 2013, the number of identities that were exposed (by all types of attacks) rose 700% over 2012. And, with the courts now holding companies financially and legally accountable for not protecting their data from breaches, the stakes are higher than ever.

Now, for some good news. Hackers know that spear-phishing attacks are more likely to be successful if they use certain words, with Order and Payment being the top two. Other commonly used words include documents, declassified, accounting and important. Companies with robust email security solutions can screen out spear phishing emails―and even ensure emails containing commonly used words receive extra scrutiny.

If you haven’t shared these dangerous keywords with your personnel, we encourage you to do so. It’s also helpful to run training exercises where you test your employees with fake emails to see who falls prey to them. You may be surprised with who takes the bait.

To learn more about spear phishing, cyber threats or digital security, please give us a call.

[featured_image]

By the DynaSis Team

Have you thought about the cloud lately? Are you thinking of moving your corporate assets to the cloud, or have you already done so? If not, get ready for a wake-up call. The cloud is expanding across everyone and into everything, whether we like it or not.

Virtually all technology solutions and devices, from backup appliances to software as a service (SaaS) offerings (where software is hosted in the cloud and accessed remotely), are consuming more cloud storage and Internet traffic every year. Because of this, Cisco recently announced that within the next four years, 76 percent of the Internet traffic through the world’s data centers will be cloud-based. That is a 40% increase over 2013, when the cloud accounted for 54 percent of total data center traffic.

Already, cloud data centers are responsible a total of 2,277 exabytes of the total 3,829 exabytes of traffic being generated. By 2018, this proportion will be 6,496 exabytes of a total of 8,574 exabytes. (An exabyte is one quintillion bytes or one billion gigabytes.)

Cisco also predicts a substantial shift to public cloud services as companies become more comfortable with them. By 2018, Cisco predicts, 31 percent of cloud workloads will be in public cloud data centers, up from 22 percent in 2013.  Interestingly, the devices that compose the Internet of Things (discussed here last week) are also going to contribute a significant amount of data to the cloud. Cisco predicts that data created by IoT devices will be 47 times greater than total data center traffic by 2018.

If all this growth sounds overwhelming, it is. After all, it’s hard to envision one billion gigabytes, or to conceive how the IoT actually functions. Nevertheless, major enterprises are embracing the cloud along with cloud solutions such as SaaS.

Big corporations know, for example that a cloud-hosted Microsoft Exchange server is far more reliable and less vulnerable than one deployed at a physical office location.  Most major enterprises realize that corporate networks are more vulnerable than data centers (which is where “the cloud” largely exists). More importantly, cybercriminals know this, as well. That’s why cyber-attacks on companies are more prevalent than attacks on data centers―and the majority of all successful data breaches occur through hacking of corporate servers.

Small and mid-sized businesses that want to be as productive and competitive as possible should create a plan for cloud adoption, now. It doesn’t have to involve a leap. It can be a step, possibly beginning with hosted Exchange as we mentioned above.

Here at DynaSis, we have developed hyper-secure cloud solutions, including private, corporate clouds where the firm retains control of its data and hosts it for remote workers. If you would like to learn more, please give us a call.

DynaSis, Atlanta’s premier provider of IT services and support for small and medium businesses (SMBs), today announced the launch of its new Unified Email Management (UEM) solution. With UEM, organizations will be protected with enterprise-grade email encryption, archival and continuity, paired with an always-on, cloud-based email security platform that delivers 100% anti-virus and 99% anti-spam blocking, with 0.0001% spam false positives.

“With email being one of the leading access points for successful cyberattacks, most organizations recognize they need better email security and management, but they do not know where to start,” said DynaSis President Dave Moorman. “With our UEM service, they won’t have to worry about evaluating and deploying one or more solutions. We’ll handle everything.”

With DynaSis UEM, a secure email gateway examines every email to thwart both known and emerging email-borne threats before they reach the corporate network. The solution also includes end-to-end, automated email encryption―seamless to both sender and recipient―to prevent sensitive corporate information being compromised, should emails be intercepted in transit. As a final security feature, UEM includes organization-wide security policy management, with the ability for changes to be applied as soon as a threat or problem is detected.

UEM also addresses another common corporate vulnerability where email is concerned―email archival and continuity. For UEM customers, DynaSis will perform forensic-grade, tamper-proof archival and retrieval of email (with seven-year retention) for regulatory compliance, eDiscovery requests, audits and other requirements. Furthermore, all email messages, calendars, contacts and tasks are synced and backed up between the organization’s Exchange Server and a secure, cloud-based archive that management and staff can access from anywhere in the event their corporate location is unavailable or their servers go down.

“Email is becoming an increasingly pervasive attack vector, with cybercriminals now able to launch spam and phishing attacks from Internet-connected appliances like printers,” Moorman noted. “For this reason, it is absolutely vital that companies protect their email―and their company―from attack. With DynaSis UEM, they gain that protection, and much more.”

About DynaSis
DynaSis is a managed IT service provider for small and medium-sized businesses in Atlanta, Georgia. DynaSis specializes in offering on-premise and on-demand managed IT service plans, managed hosting and professional equipment installation. For more information about DynaSis’ services visit https://dynasis.com.

[featured_image]

By the DynaSis Team

Have you heard of “The Internet of Things,” and if so, do you know what it is? This term is being bandied about in the media a lot recently, but it is certainly not self-explanatory, and we suspected that many business owners – not to mention their employees – do not understand precisely what it is or what it means for them. According to a survey, released last week by CompTIA, a leading IT industry trade association, we were right.

The Internet of Things (IoT) is a term that describes a global, interconnected network of objects that can transfer data over a network to other objects/entities without the need for a human or computer to propel the transfer. It is similar to the “smart grid” approach being used by utility providers to interconnect buildings and other facilities powered by electricity. However, with the IoT, network nodes are connected via a wireless data transfer network (like the Internet), instead.

A considerable percentage of science and technology experts predict that it is the future of our world. Per Pew Research, 83% of technology experts and engaged Internet users believe that the dynamic web created by the IoT, the cloud, and embedded/wearable devices will have widespread and beneficial effects by 2025. Furthermore, research firms predict that by 2020, between 26 billion devices (per Gartner) and 30 billion devices (per ABI Research) will be wirelessly connected.  Already, a lot of them are.

In other words, it won’t be long before most businesses and individuals will be connected in some way to the IoT, whether by the watch a company president wears, the smart thermostat installed in a corporate office, or the medical monitoring device that an employee has implanted inside his or her body after a heart attack or stroke. So, what does this mean for small and mid-sized businesses (SMBs), and do their owners need to be concerned with it, now?

The CompTIA survey referenced earlier found that 34 percent of SMBs in the United States haven’t reviewed their service or product portfolios to take advantage of the rise of the Internet of things (IoT) and 31 percent have no plans to change their offerings in order to do so. Interestingly, 49 percent of American SMBs think the IoT will help their organizations make more money.

Here at DynaSis, we are highly cognizant of the IoT, not only the benefits it can bring SMBs but also of the risks it may generate. Already, security experts are warning that without proper precautions, a cyber-strike against the IoT could wreak incredible havoc, not only on companies and citizens but also on global infrastructure. They point out that when the majority of “things” can communicate without human or computer intervention, there will be fewer opportunities for a person or a system to detect an attack as it crosses various nodes. This scenario will make robust defenses at the corporate level even more important.

We believe that SMBs should be at least familiarizing themselves with the IoT, now, and should be preparing for the impacts (both good and bad) it may have on their businesses. If you would like to learn more about it or discuss how it might affect you, please give us a call.

[featured_image]

By the DynaSis Team

With fewer than eight percent of companies (of all sizes) adopting Office 365 (per a May 2014 Bitglass survey of 81,000 firms), we have to ask ourselves, “What is holding organizations back?” Office 365 is a great product, and its subscription model makes it affordable for firms of all sizes while eliminating the hassle of licensing upgrades. Yet, adoption has been slow.

Based upon investigation and our experience, we postulate that several factors are impacting organizations’ decisions. One reason may be concerns about cloud security. Per the Bitglass survey mentioned above, 42% of companies are currently eschewing cloud adoption due to security concerns.

We find this development unfortunate, because the cloud absolutely can be safe with stringent security mechanisms and a reputable provider. However, that is a discussion for a different article. For the purposes of this discussion, it is evident that even this amount of “cloud concern” cannot be the only factor hampering Office 365 adoption.

In our opinion, another issue is the complexity of the move, itself. Office 365 is a great productivity tool, once it is up and running. However, implementing it is more involved than most organizations realize and ongoing operation is not completely hands-off. Consider these key tasks involved in the migration:

• Determine which versions of on-premise Office are running and who is using them. Decide if everyone is a migration candidate.
• Choose an Office 365 model. There is a variety of price points for the offerings, each of which includes a different set of applications and tools.
• Install the on-premise versions of all applications on user’s machines and devices (up to five per user), potentially with hardware upgrades being involved.
• Document all email accounts and confirm which ones should move to Office 365. If they are web-based, determine if they should remain open and accessible individually (Office 365 will sync with rather than replace them) or if the users can migrate to Office 365’s email service completely. Back up the email stores and import them into Office 365. Notify all contacts of new email addresses, if appropriate.

After migration, the organization will also need someone to administer Office 365 and provide Help Desk support. Commonly requested support issues include resetting passwords, setting mailbox and/or folder permissions, and more.

We suspect (and have heard from others) that many companies run the Office 365 “trial” with the intention of adopting it fully. Then, they realize they do not have the time and expertise to merge all their Office resources and set up Office 365 completely. Alternatively, they end up with a partial migration that creates a mess and so abandon the product. In other words, they cannot manage a do-it-yourself move.

Microsoft recently initiated a program, called Fasttrack, designed to help companies get Office 365 up and running smoothly. Unfortunately for small and medium sized business owners, it is optimized for installations of 150 seats or more, and all of the help is remote or online. It also cannot start until a company purchases Office 365. Taking such an approach extends adoption time, because organizations cannot work with a tech team to perform advance planning.

For any company wishing to adopt Office 365, we recommend working with a local IT expert that has technological competence with Office 365 migration and management. We just happen to be one of those firms, so if you would like to know more or discuss such a solution, please fill out our inquiry form or give us a call at (770) 569-4600.

[featured_image]

By the DynaSis Team

In last week’s blog, we introduced you to Shellshock, the software bug that has the entire technology world reeling due to its potential implications. Many firms, especially those with web servers, may have affected (but not necessarily infected) machines on their network and not even know it. Those with UNIX/Linux and Apple OS machines are at the highest risk level, but any network that connects to the Internet could be compromised by it.

As promised in last week’s article, this week we’ll talk a bit about network assessments and software audits. A network assessment is a process by which an in-house technical expert or a third-party provider evaluates all the devices running on a corporate network, including servers, desktops, laptops, tablets, smartphones and all other connected devices. It’s an important preventive measure against Shellshock.

At a minimum, a network assessment should be able to scan and see all the network hardware and determine whether it is protected by security software and/or devices. It should also be able to determine if the network and its devices are properly configured for optimal performance. An advanced assessment will also include a software inventory (audit) of all the software running on every machine. This level of assessment is needed to give companies a total picture of their vulnerability to the Shellshock bug.

Equally important to corporate productivity, the individuals or company performing any network assessment should be able to conduct their exploration in the background, with no impact on network resources. If software-based “discovery agents” are used, they should transmit no sensitive data out of the network. They should also be virtually undetectable by system users and should leave behind no traces of their process.

Once complete, the results should be outlined in easy-to-read reports about the network, its security weaknesses and its performance issues, as well as in an overall “score” that gives management a solid, at-a-glance idea of how their network performs. The assessment package should also include suggestions for urgent, recommended and optional improvements, with details about the issues these changes will resolve and/or benefits they will provide.

At DynaSis, we perform network assessments using a custom-built, secure solution that meets all these criteria. However, we have worked with many organizations who ordered network assessments that did not meet some―or any―of these standards.

As a comparison for your own evaluation, here’s a list of what our network assessment findings include:

• A summary of your overall risk score, with charts identifying problem areas and conflicts.
• A Best-Practices Deviation Report of pressure-point issues that warrant investigation.
• An inventory of network devices (routers, printers, PCs, servers and more), including rogue devices operating without the organization’s knowledge.
• A list of network access weaknesses (e.g. insecure passwords or outdated permissions).
• An inventory of installed applications, per machine.
• An inventory of servers (Web, Exchange, SQL) and recommendations for better configuration and management.

Even if your network assessment and software audit reveal that Bash isn’t in use on any of your machines, it will undoubtedly root out performance and/or security problems you didn’t realize were there. After all, nine out of 10 corporate networks have network issues that are hampering worker or company productivity.

To learn more about network assessments or to ask us questions about the current threat landscape, please fill out our inquiry form or give us a call at (770) 569-4600.

[featured_image]

By the DynaSis Team

Have you heard of “Shellshock”―the newest computer vulnerability to hit the news? If so, you may be wondering if your firm is at risk. Or, perhaps you heard that Shellshock doesn’t affect Windows devices, so you have dismissed it as a non-event for your office. In either case, we encourage you to read this alert.

Discovered on September 12 and made public on September 24, Shellshock (also known as Bashdoor) is actually a family of bugs in a program called Bash. Written more than two decades ago, Bash is a “command shell” program―it interprets commands from users and other computers and relays them to the machine on which it is installed. Experts now believe that the bugs in Bash may have been introduced into the software code accidentally in 1992.

Bash can run on devices and systems that use the Linux or UNIX operating systems or Apple OS X, but vulnerability doesn’t stop there. UNIX is deeply ingrained into the Internet, and experts estimate that as many as 70% of Internet-connected devices run Bash. It’s also used frequently in consumer electronics, from watches to cameras.

Here are the takeaways you need to protect your firm.

• The National Institute of Standards and Technology rates Shellshock a 10 on a 10-point severity scale. (Heartbleed was a 5.)
• Firms running Windows are at risk, because a variant of Bash that runs on Windows is vulnerable, as well. Furthermore, if employees visit compromised websites, they could pick up malware distributed by the site. Firms that run web servers or have UNIX, Linux, iOS or Android devices on their network have a heightened risk of attack.
• Unlike Heartbleed, a hacker can only exploit Shellshock if the targeted machine uses Bash. Having it installed isn’t enough to result in exposure.
• It is an unsophisticated vulnerability, making it is easy for hackers to make use of it. Unlike Heartbleed it doesn’t just steal information. It takes remote control of computers and can do just about anything with them or the networks to which they connect.
• Companies that run Bash are issuing fixes and patches rapidly. Unfortunately, many of them have been incomplete or ineffective. This situation should improve over the next few weeks.
• As a precaution, companies should ensure all their software is fully updated and check to see if the websites they or their employees use have been patched.
• Internet-connected firms that have not had a network assessment (including a software audit) recently should conduct or order (outsource) one, soon. Proactive assessments, auditing and policy implementation are some of your most important defenses against this bug. (More about that in next week’s blog.)

From a broader perspective, we find it deeply concerning that a software flaw could have existed for 22 years, undetected. It makes us wonder how many other “low-level” programs―perhaps that are also deeply ingrained in the Internet or other systems―have similar flaws.

To learn more about Shellshock or to discuss proactive software updates, vulnerability assessments and/or software audits, fill out our inquiry form or give us a call at (770) 569-4600.