By the DynaSis Team

In past articles, we have discussed the value of written policies to direct and define expectations for corporate security. We have talked about the importance of having strong employee security policies that not only educate but also clarify what behaviors are unacceptable—and potentially actionable.

As we head into a year predicted to be more dangerous than ever before in terms of cyber-risk, we offer you a list, developed with the input of DynaSis’ in-house security experts, of the principal elements a data security policy should include. When complete, such a resource will help to manage the activities and behaviors of personnel and provide support for the organization’s risk management strategy.

Nine Essential Elements of a Best Practices Data Security Policy

Data Privacy: What sensitive/confidential data the organization retains (including a plan for classifying data, if uncertainty exists) along with a program for securing, retaining and disposing of it. If the firm is subject to regulatory mandates, such as HIPAA (Health Insurance Portability and Accountability Act of 1996), how the firm will comply.

Password Management: Rules that define the content of passwords; how often they must be changed; how they are administered.

Internet Usage: What personal Internet usage is allowed at the workplace, if any, with a list of restricted site types. Information to help employees identify and avoid risky/infected sites. Also should include restrictions on Internet usage outside the corporate network (e.g. unsecured Wi-Fi sites) as well as prohibitions on establishing unauthorized Internet access points within the network.

Email Usage: How and where personnel can retrieve and send email, including prohibited behaviors such as transmitting corporate email over unsecured networks or allowing non-employees to send messages through a corporate account.

Company-owned devices: How and where company-owned devices may be operated; restrictions, if any, on the types of data stored on them; procedures in the event of damage, theft or loss.

Employee-owned mobile devices: Whether or not company data (including email) may be accessed or stored on personal devices. If personal devices are used for work and are company controlled, restrictions similar to those for company-owned devices may apply.

Social Media: Whether or not, and how, employees may use social media at the workplace or on company-controlled devices. Prohibitions, if any, on sharing information about the company, its personnel and its operations over social media.

Software Copyright & Licensing: Prohibitions against installing and using unapproved or unlicensed software on company servers. May also include how the company maintains its software licenses and how often it updates that software.

Security Incident Reporting: Policies and procedures for reporting security incidents. Incidents include not only activities (e.g. loss or theft of a mobile device) but also potential attempted intrusions, such as receipt of a suspicious email message. Personnel should be encouraged to report any activity or communication they are not certain is safe.

This list is extensive, but it is not exhaustive. Depending on the organization, industry and business model, additional information might be appropriate for inclusion. We have also excluded complex technology-layer policies, such as encryption policies and incident response procedures. Those are a discussion for a different day.

DynaSis has been Atlanta’s premier IT support services provider for more than 23 years. As an IT company working with small to midsized businesses (10 to 150+ users), DynaSis has developed a unique 12-layer approach to network threat protection, ransomware prevention and crypto virus threat elimination. The DynaSis Business Cloud functions through a highly secure environment with full real-time data backup. Please contact us at 678.218.1769 or visit our website at www.DynaSis.com.

By the DynaSis Team

[featured_image]

Cybersecurity, already a hot topic in the news, has moved to an even brighter spotlight now that the presidential candidates are discussing it. The merits of their positions are not for us to debate here. However, their actions underscore the idea that cybersecurity is an issue of concern to the citizens who might vote for them.

Statistics support this viewpoint, especially among the small and midsized business (SMB) community. In May, 2015, Endurance International Group (EIG) released the results of a survey that indicated 81 percent of SMB owners have cybersecurity concerns. Even more (94 percent) “often think” about online security. This is good news, given that SMBs are prime targets. A Verizon study found that organizations with 11-100 employees are 15 times more likely to have their security defenses breached than organizations with more than 100 employees.

Unfortunately, the EIG survey also contained some deeply worrisome statistics. Researchers discovered that 94 percent of SMB owners don’t have cybersecurity insurance. Eighty-three percent handle cybersecurity themselves, often because they don’t think they can afford to employ IT support staff or contract for managed IT services.

In reality, the risk of being breached has become so great that no business can afford not to engage professional help. Attack vectors are evolving so rapidly that it is impossible to avoid them completely. Multi-national, billion-dollar corporations work to manage risk with layers of protection that close security holes, remove or clean infections, detect and stop malicious activities, and provide other lines of defense for corporate systems.

As we head into 2016, we hope all SMB owners will embrace this approach and take action to fortify their companies’ defenses. There simply is no “silver bullet” for security. No single solution will protect a firm. Companies must use a multi-layered approach in order to mitigate threats. Beginning with our first January article, we will be covering various aspects of cybersecurity to help educate our readers regarding this daunting but critical task.

Cybersecurity is complex, and it deserves everyone’s full attention. To ignore it is to accept the consequences of a breach. For an SMB, such an event is almost always financially crippling. In 60% of cases, it will destroy the business within six months.

By the DynaSis Team

[featured_image]

In the current corporate landscape, business continuity requires ongoing access to important company files, no matter what. No longer are customers willing to wait a week to receive a quote for a job or to have their order confirmed. The world operates in real time, and customers expect the businesses with which they work to do the same.

This need is leading many business owners to rely on real time data storage solutions that could actually hamper their business continuity in certain situations. To illustrate this point, let’s consider Dropbox—one of the most popular file storage services on the planet. Dropbox is an inexpensive way for organizations to store and share files among employees, customers and other authorized individuals. However, Dropbox has serious limitations from a business continuity perspective.

Dropbox has an easy-to-use mechanism to help users recover deleted files—or restore older versions—for up to 30 days (up to a year with Dropbox for Business Accounts). It also has redundant servers protecting customer data in the event Dropbox itself experiences a server failure.

However, for company personnel to make the most effective use of Dropbox, they must sync some or all company files to their local computing devices. To do this, during setup they tell Dropbox what data they want to store and sync locally. Most users share and sync folders rather than individual files, and these can become enormous over time as other users add files to them.

If local devices lack enough storage to stay in sync, Dropbox will stop syncing and prompt the users to reevaluate their Dropbox allocations, a process that wastes time and drains productivity. When users don’t have time or knowledge to manage those allocations, many will save their files locally, planning to upload them to Dropbox later. When that doesn’t happen, the entire system falls apart, along with any pretense of having a complete backup.

Second, most file storage and sharing services such as Dropbox (and Google Drive) do not offer end-to end-security. Files stored with them are encrypted on those servers, but they're not locally encrypted on the computers where they originate before being synced to the cloud, which also means they are not encrypted during transit. If a hacker has access to a user’s account or has penetrated the corporate network, he or she could easily steal company data unless the firm is using local encryption, which is a rarity.

The advanced file backup solutions offered by companies such as DynaSis will eliminate both of these challenges, and they can incorporate on-demand file access and sharing, as well. Productivity is maximized, and concerns about local PC and backup continuity are resolved.

In today’s threat laden environment, data protection is king, and ensuring it is appropriately secured and replicated is essential. We’re not saying that companies should avoid online file storage and sharing. Rather, we’re suggesting that business owners should work with a competent IT advisor that can help them determine exactly which file storage, sharing and backup solutions are right for their environments.

About DynaSis

DynaSis is an Atlanta IT services and cloud computing provider for small and midsized businesses. All of our solutions focus on helping companies achieve the three fundamental IT necessities of the modern business—availability, security and mobility. We specialize in on-demand and on-premise managed IT services, managed cloud infrastructure, desktops and backups, and professional hardware and equipment installation. For more information about DynaSis’ IT support and services, visit www.dynasis.com.

[featured_image]

By the DynaSis Team

For as long as man has been able to scratch an image on a wall, people have been saving “data.” From etching on stone tablets to writing on papyrus, humans have always recognized the value of archiving information we consider important. Today, data and data protection are more than a convenience—they are essential to business survival. Yet, we find that many firms still take a lackadaisical approach to data protection.

While the majority of companies backup their data—some through multiple mechanisms—there are many “data protection” strategies that some organizations overlook. Following are some top recommendations for data protection.

1. Storage must be accessible. Many companies have years of data stored on tapes or legacy drives, much of which may have been compressed to save space. Technology changes rapidly, and those firms may no longer have functioning equipment that can read those tapes/drives or decompress that data. In such a situation, if they needed to restore data from an earlier period, their backups might be worthless. Keeping data storage systems up to date and readable is absolutely crucial.

2. Backups must be remote. One of the most foolish and dangerous actions a business can take is to store its data backups onsite. It’s equally hazardous to have a worker tasked with physically transporting backup drives or tapes offsite, every night, and returning them in the morning. The safest way to store backups is to transfer them, via a remote connection, to a highly secure, offsite location.

3. Data must be free from corruption. Even though data breaches make the biggest news, data corruption can be just as damaging—and much more insidious. Opening an infected email or using a thumb drive from an unknown source can introduce malware or viruses that can corrupt files, making it impossible to open them. Furthermore, software bugs and even user error can cause data corruption. If it goes undetected, the backups of those files may be corrupted as well, leaving no useable archive of the data. Regular system scans for malware and other undesirable software are paramount.

4. Systems must be up to date. Out-of-date software, improperly maintained hard drives, and misconfigured or corrupt system files, such as the system registry (a database that stores information about a Windows system and components), can all cause data corruption. Regular system maintenance is vital to protecting data.

5. Data must be secure. Data resources, both primary and backups, must be safe and free from the threat of intrusion or theft. Using a secure operating system that requires user authentication, enabling robust firewall protection and other security measures are essential for data protection and retention.

If your business isn’t achieving all five of these goals, it’s time to revamp your approach. IT providers such as DynaSis can help develop data management and protection strategies, including the use of secure cloud resources, to ensure your data is always accessible when you need it.

About DynaSis
DynaSis is an Atlanta IT services and cloud computing provider for small and midsized businesses. All of our solutions focus on helping companies achieve the three fundamental IT necessities of the modern business—availability, security and mobility. We specialize in on-demand and on-premise managed IT services, managed cloud infrastructure, desktops and backups, and professional hardware and equipment installation. For more information about DynaSis’ IT support and services, visit www.dynasis.com.

[featured_image]

By the DynaSis Team

For more than a decade, virtualization has been a well-promoted solution for achieving flexibility and security with on-premise (in-office) servers. With virtualization, a company and/or its IT vendor “carves” a server or dedicated storage device into multiple virtual servers/drives (these deployments are called virtual machines, e.g. VMs). One of the ways that DynaSis helps its customers maximize IT ROI (and security) is by designing and installing a virtual server layout from a single physical one.

Multiple VMs can reside on a single physical server, yet each will be totally segregated from the others and can have a discrete purpose, separate authentication and security protocols, availability rules and other characteristics of a physical server. Another advantage of virtual servers is that storage allocation for each VM can be altered quickly―and often, dynamically based on load.

For all these reasons, many cloud servers are virtual, with data centers dividing their large servers and storage arrays into numerous VMs for their clients. With virtualization having become an indelible fixture of data center operation, and the technology also being so beneficial for on-premise server installations, we scanned the Internet for expert advice on what we and our customers can expect from virtualization in 2015. Two items, in particular, sparked our interest.

Virtualization Security: With so many security breaches in 2014, it is inevitable that vendors will be placing a renewed focus on security. One of the hot new approaches at the data center level is “micro-segmentation,” where every discrete virtual machine becomes its own impregnable fortress with dedicated security.

Data-center-level solutions are generally too expensive for SMBs to implement for their on-premise implementations of virtualization, but that doesn’t mean companies that implement virtualization are at risk. Companies that work with a vendor that provides robust, end-to-end security and proactive problem resolution, including patch application, have the confidence that their virtual machines can be fully protected, as well. At DynaSis, we have always considered security paramount, and we recently introduced another layer of security for our Managed IT customers.

Converged Infrastructure: This term may sound a bit arcane to those outside the IT world, but it’s really a fancy way of saying bundling. Experts expect acceleration of this trend―where a company works with a vendor that provides a complete solution comprised of multiple infrastructure (hardware) components packaged to work well together.

Packaging interoperable infrastructure­ for maximum security and connectivity is always a good idea, but it requires preplanning, so it is easy to overlook. It’s the approach we take with our Ascend offering, where we build out a firm’s infrastructure and they lease it from us for a low monthly fee, including management and security. We definitely hope this trend will gather momentum in 2015, as it can be very beneficial.

In addition to these two trends, we saw mention of a number of protocols, solutions and platforms, all of which are too complicated to discuss in this short article. However, be assured that the DynaSis technicians are staying abreast of these developments to give you the most secure, productive virtualization experience possible. To learn more about the substantial benefits of virtualization, or to meet with a DynaSis Virtual CIO to explore the possibilities for your firm, please give us a call.

[featured_image]

By the DynaSis Team

In Greek mythology, Pandora was a woman who accidentally unleashed all the ills of the world because she couldn’t resist opening the box that was holding them captive. For small and medium-sized businesses (SMBs), administrative access at the user level―letting untrained employees have full access to their desktop and potentially the company’s IT systems at the administrative level―is the Pandora’s Box of technology. Making matters worse, many employees don’t even know they have access to the box, so they open it unwittingly.

Here’s how this happens. Windows automatically configures the default user account as an Administrator. A Windows Administrator account is an unrestricted account that can make system-wide changes to the computer with no additional authorization or privileges.

SMBs that install new PCs for their personnel, or allow them to work from any PC or mobile device outside their scope of control, may unknowingly empower these individuals with Administrator access. Administrative accounts provide a direct pathway to root (hidden, low-level operating) settings and other built-in mechanisms for making any system change―not just beneficial ones.

If cyberattackers get access to a PC with an Administrator account, perhaps through a phishing email, infected site or other mechanism, they can then execute scripts, launch exploit kits (malicious toolkits that exploit security holes) and perform other actions at the root level. Many, if not most, actions running at this level will not alert the user, so destructive activities can continue, unchecked, potentially for the life of the PC.

If a device with Administrator privileges is authenticated to connect to the company network, the cyberattackers can easily penetrate the network, as well, potentially taking over the entire network for use as a bot (a form of automated attendant) to spread more phishing messages, stealing data, and infecting other connected devices automatically and decisively.

For every PC on the network, unless a user or an IT pro intentionally sets up a user account without administrative privileges, this can occur. This is a crucial, but often overlooked, step in securing any corporate defenses. Making matters worse, many “IT-aware” (but not IT-trained) business owners and employees have heard that the hidden Administrator account built into the Windows OS is disabled by default due to security concerns. This measure, in place since Windows Vista, was an important, needed change but it does not provide any protection for the default Administrator account at the user level.

Administrator-level users (called superusers in the IT world) are a primary mechanism for infection among SMBs. Given that the rate of targeted attacks against SMBs has more than doubled since 2011, and the ratio of data breaches to company size is 15 times higher for SMBs than for larger firms, the default Administrator account is something every SMB should address as soon as possible. To learn more about cyber security or discuss scheduling a security assessment to determine your level of risk, please give us a call.

By the DynaSis Team

In early September, we wrote about cyber-attacks and the role that human gullibility plays in them. (If you didn’t read that blog, the answer is “a very, very big one.”) We also offered some suggestions to help business owners protect themselves against vulnerability.

Now, we’ve come across some additional information you might find useful. In this article, we’ll offer not only startling statistics but also some of the keywords that signal danger. First, let’s discuss the statistics.

Over the past decade, the number of spear-phishing attacks (phony emails designed to trick recipients into exposing confidential information) has grown to an alarming number. According to security software developer Symantec, spear phishing campaigns in 2013 rose by 91% over 2012. As of 2013, one in every 392 emails was sent for the purpose of spear phishing.  That may sound like a small number (approximately .025 percent), but consider how many email messages your company sends per day or per year. (The average employee sends or receives approximately 115 emails per day.)

Enterprise employees aren’t the only gullible ones, either. The U.S. Department of Defense has been compromised by unwitting employees responding to spear phishing emails. The massive 2012 Department of Revenue data breach in South Carolina that compromised the private data of 3.8 million taxpayers, 1.9 million dependents, 699,900 businesses and 3.3 million banks started with a spear-phishing email.

Furthermore, the risk of data breaches is exploding. In 2013, the number of identities that were exposed (by all types of attacks) rose 700% over 2012. And, with the courts now holding companies financially and legally accountable for not protecting their data from breaches, the stakes are higher than ever.

Now, for some good news. Hackers know that spear-phishing attacks are more likely to be successful if they use certain words, with Order and Payment being the top two. Other commonly used words include documents, declassified, accounting and important. Companies with robust email security solutions can screen out spear phishing emails―and even ensure emails containing commonly used words receive extra scrutiny.

If you haven’t shared these dangerous keywords with your personnel, we encourage you to do so. It’s also helpful to run training exercises where you test your employees with fake emails to see who falls prey to them. You may be surprised with who takes the bait.

To learn more about spear phishing, cyber threats or digital security, please give us a call.

[featured_image]

By the DynaSis Team

Have you heard of “Shellshock”―the newest computer vulnerability to hit the news? If so, you may be wondering if your firm is at risk. Or, perhaps you heard that Shellshock doesn’t affect Windows devices, so you have dismissed it as a non-event for your office. In either case, we encourage you to read this alert.

Discovered on September 12 and made public on September 24, Shellshock (also known as Bashdoor) is actually a family of bugs in a program called Bash. Written more than two decades ago, Bash is a “command shell” program―it interprets commands from users and other computers and relays them to the machine on which it is installed. Experts now believe that the bugs in Bash may have been introduced into the software code accidentally in 1992.

Bash can run on devices and systems that use the Linux or UNIX operating systems or Apple OS X, but vulnerability doesn’t stop there. UNIX is deeply ingrained into the Internet, and experts estimate that as many as 70% of Internet-connected devices run Bash. It’s also used frequently in consumer electronics, from watches to cameras.

Here are the takeaways you need to protect your firm.

• The National Institute of Standards and Technology rates Shellshock a 10 on a 10-point severity scale. (Heartbleed was a 5.)
• Firms running Windows are at risk, because a variant of Bash that runs on Windows is vulnerable, as well. Furthermore, if employees visit compromised websites, they could pick up malware distributed by the site. Firms that run web servers or have UNIX, Linux, iOS or Android devices on their network have a heightened risk of attack.
• Unlike Heartbleed, a hacker can only exploit Shellshock if the targeted machine uses Bash. Having it installed isn’t enough to result in exposure.
• It is an unsophisticated vulnerability, making it is easy for hackers to make use of it. Unlike Heartbleed it doesn’t just steal information. It takes remote control of computers and can do just about anything with them or the networks to which they connect.
• Companies that run Bash are issuing fixes and patches rapidly. Unfortunately, many of them have been incomplete or ineffective. This situation should improve over the next few weeks.
• As a precaution, companies should ensure all their software is fully updated and check to see if the websites they or their employees use have been patched.
• Internet-connected firms that have not had a network assessment (including a software audit) recently should conduct or order (outsource) one, soon. Proactive assessments, auditing and policy implementation are some of your most important defenses against this bug. (More about that in next week’s blog.)

From a broader perspective, we find it deeply concerning that a software flaw could have existed for 22 years, undetected. It makes us wonder how many other “low-level” programs―perhaps that are also deeply ingrained in the Internet or other systems―have similar flaws.

To learn more about Shellshock or to discuss proactive software updates, vulnerability assessments and/or software audits, fill out our inquiry form or give us a call at (770) 569-4600.

[featured_image]

By the DynaSis Team

The media gives a lot of coverage to cyberattacks and their perpetrators, but the reality for many businesses is that the blame for security breaches lies inside the office. Criminals in faraway countries may design and launch the attacks, but if a company is stoutly defended, an attack should not succeed.

Furthermore, although “stout” defenses require up-to-date technologies such as firewall devices and anti-malware solutions, technology isn’t your only line of defense. Numerous studies indicate that cyberattacks are often successful because company employees let the attackers in.

In fact, a 2014 study conducted by IBM found that in 2013, human error was involved at some level in more than 95 percent of security incidents. The most common “mistake” was an employee clicking on a malicious email link that compromised the corporate defenses in some way.

Other significant forms of human error cited by the IBM report included system misconfiguration, inadequate system patch management and bad password oversight. The remaining top “errors” the study cited were security breaches due to lost laptops and mobile devices.

To combat these vulnerabilities, companies should address what we consider to be the “three pillars” of corporate security―user education, properly managed IT and security systems, and mobile device management. Companies that are not yet taking these pillars seriously are playing Russian roulette, and it won’t be long before it’s their turn to become a victim. We’ll address the second two―properly managed IT and security systems and mobile device management―first.

1. Managed IT and Security Systems: Purchasing and deploying a firewall appliance or other security mechanisms isn’t a sufficient defense. As the IBM survey noted, the people behind the technology are equally important. System configuration, patch management and password oversight are all activities normally handled by IT personnel, not by users. These factors being cited in the prevalence of cyberattacks underscores the importance of organizations having competent managed services teams working for them.
2. Mobile Device Management (MDM): Human error may result in a stolen or lost tablet or mobile device, but that doesn’t mean the company has to be compromised. With a solid MDM solution in place, wiping corporate information is a painless process.
3. User Education: We urge all business owners to engage in a major education initiative with employees, if they haven’t already. Actions we recommend include:

For companies that aren’t confident they have addressed all these issues, IT assessments and network vulnerability checks are the best place to start. For more information, fill out our inquiry form or give us a call at (770) 569-4600.

[featured_image]

By the DynaSis Team

On August 14, Forbes published an interesting article entitled Technology Will Change Your Job: How to Prepare. It’s no secret that technology changes our work lives (and our personal lives). It increases productivity enormously, for example. It also makes it easier to stay “plugged in” to the workplace―a double-edged sword that gives us more mobility but also lets others track us down when we would prefer not to be connected.

However, this article wasn’t about that aspect of technology. Rather, it referenced a book, by attorney Richard Lieberman, entitled Your Job and How Technology Will Change It. In the book, Lieberman postulated that technology won’t simply let us work more efficiently; it will change the intrinsic nature of our jobs. He also suggested that those who do not adapt to this change will find themselves out of work.

“Bemoaning new technology is very much like those people who said passenger airplanes were terrible because they did not provide the comfort, leisure and sociability of a long train trip,” Lieberman stated. A more accurate analogy, we submit, would be to compare the value of a technically astute, well-trained administrative assistant to one who clings to an early version of WordPerfect or Word―or heaven forbid, a typewriter.

The message was, essentially, “Adapt or die,” and we believe that this message applies not only to workers but also to the businesses for whom they work. Emerging technologies from robotics to cloud computing are being adopted much faster than most people had predicted. Young people are embracing these new technologies far more rapidly than their older counterparts, and they want their employers to adopt and provide cutting-edge solutions, as well.

Conversely, many older workers and managers (the Baby Boomers) are not staying abreast of technology. However, they retain the majority of cultural and institutional knowledge that makes a company “tick,” and they often make the rules regarding who can do what, and when.

Frustrated by the pace of technological change, younger workers are bringing their more advanced, personal technology to work, much to the consternation of the older, inflexible executives and managers. In doing so, these younger workers can put businesses at risk.

So, the challenge for business owners is to adopt a more aggressive technology stance that will attract the younger stars without endangering the business. They also need to identify and retain older corporate leaders that do appreciate technology―those who can bridge the generation gap within the firm. In doing so, companies can develop a tech-forward, integrated workplace where all players can embrace secure corporate solutions to foster a collaborative, productive work environment.

The alternative is an unspoken “war” at work, where older, hide-bound executives and IT pros attempt to “control” the activities of younger workers, and the workers either become frustrated and leave or they simply find workarounds and do what they want. Neither is a satisfactory, long-term solution for anyone.

Now, here’s the good news. Companies do not have to make major IT purchases and plan exhaustive implementations every year or two in order to have an up-to-speed IT infrastructure. Solutions exist, such as DynaSis Ascend platform, that let firms pay a flat monthly fee for deployment and use of modern, secure IT solutions upgraded on a regular basis.

Such an approach keeps everyone happy. To learn more, please fill out our inquiry form or give us a call at (770) 569-4600.