The Enemy at the Gate

 

The Enemy at the Gate

As an MSP (Managed Service Provider)  who has been supporting small to mid-sized businesses for over 30 years, one thing I can tell you is that the mindset of "we are too small to be the target of a cyber-attack" is far more widespread than one might think.

Some might accuse me of exaggerating, or spreading FUD (Fear, Uncertainty & Doubt) like so much manure on the garden of business.. But in all fairness, I would say that I am understating the gravity of this phenomena.  The data doesn't lie. A recent Accenture/Ponemon study (PDF) shows that 68% of business leaders feel their cybersecurity risks are increasing, and Verizon found that 43% of breach victims were classified as small businesses.

Now, back to my initial postulation that SMB's seem to have a tendency to underestimate their risk.  How I know this to be true is that I find in many cases when doing cybersecurity assessments of prospective new clients, the most often overlooked facet of their cybersecurity maturity score is the firewall.  If there is one element of a businesses defense system that should not be ignored, it's network infrastructure, especially the firewall.

The simple fact is - an outdated firewall not only is likely to be laced with unpatched vulnerabilities, it also is not equipped to handle the threats todays cybercriminals bring to the party. Proper lifecycle management of perimeter security devices is about 5 years.  By that point, the technology has changed to meet the current level of threat to a point where simple subscription based services can no longer keep up.

Case in point - over 70% of all Internet traffic is secured by SSL encryption. The familiar HTTPS preceding the web URL tells you that the connection between you and that web server is secure.  But is it really? Many firewalls can not inspect SSL traffic, and so it passes directly to your browser, with all the potential vulnerabilities intact.  In fact, many of the bad actors who are perpetrating cyberattacks on all levels of business are working in that same "secure" space because they KNOW, most firewalls are either incapable of ferreting them out, or are not properly configured to do so because of the performance hit that results from deep packet inspection of SSL traffic.  It takes serious horsepower to un-encrypt, scan, and re-assemble SSL traffic.

More concerning to me on these visits is when I see big-box store level wireless routers often found on sale for under $100 and touted as a "firewall" being used in a business setting. Or even worse, just using the modem provided by the broadband provider du jour. Let me help you with this - for free - it's not good! No bueno, sehr schlect, call it what you will, but don't call it a business class firewall.  These devices do not have the intrusion prevention mechanisms, country of origin, BotNet, or malicious content filtering capabilities needed in today's cyberthreat landscape.

Yes, I see you out there with the sheepish grin.. While I might call you out for neglecting your businesses security, I don't blame you. Running a business is expensive, and you were probably given advice by someone, or read a review online, or have fallen victim to an IT support provider that really does not understand cybersecurity..  and so, I won't judge.  I would rather educate business owners on the harsh reality of why they need to work with a professional security focused MSP to ensure that the most critical component in their cyberdefense arsenal is right-sized for their current and mid-term needs.

The average payout for a ransomware intrusion on a typical business network is up to $111,605 (bankinfosecurity.com April 2020 study) and as a small business owner myself, the last thing I want to be doing is footing that kind of bill.  While you may recover from the problem, what is often missed in this calculation is the lost customer confidence that can further erode your bottom line over time.  Having the right firewall is the best first step a small business can take to defend against this type of intrusion, and a small price to pay in comparison to the risk.

With the average time to detect an intrusion ranging from 90 - 180 days, sometimes more, having a strong barrier to intrusion is the best first step you can take other than educating your workforce on how to recognize common threats. (Cybersecurity awareness training should be both mandatory and ongoing, and directed from the top down). The amount of downtime that occurs when a malicious intrusion happens can be staggering. To a a small business, this can often result in becoming the straw that breaks the camels back.  

Investing in the right firewall can mean the difference between long term success and failure. If you have not had a cybersecurity assessment performed in a couple years, partner with a reputable MSP or MSSP (Managed Security Service Provider).  They should be able to sit down with you, determine your organizational cybersecurity maturity level and make the right recommendations to help you safeguard your business.  If you are in the Western Massachusetts, Northern Connecticut area, contact us by web, or call us at (413) 786-9675.

Stay tuned for our next look at securing your business with our upcoming blog on endpoint protection.

Go to Your Room!

Go to Your Room!

We are living in unprecedented times.

The new *Normal* has definitely shaken things up in the business world.  Take all the political posturing out, remove all the hype and fear-mongering, ditch the conspiracy theories..  The fact remains, the business world is changing.  If you are reading this as a business owner, accept the fact.. No..  Embrace the fact..  things are changing.  Change with them, or be doomed to midden heap of mediocrity...  or worse.. failed business.

Sounds harsh, right?  Now, in your best Darth Vader voice, say "Search your feelings, you know it to be true".

So what is this blog all about - as you might see, it is being delivered in a somewhat light tone, filled with candor.. I think..  The point is - with the new movement to a more work-from-home environment becoming more common, how do you maximize that for your business.

Here are a handful of truths:

• Many administrative tasks can be accomplished from a home office
• One of the largest burdens on business is the cost of commercial space
• Engaging the younger workforce means accepting a different perspective on hours of operation
• Productivity from a work-from home (WFH) begins with equipping them for success 

Let's touch on these, shall we?

Business Administration from Afar:

Many office tasks are not necessarily tied to a physical location.  If you are paper-heavy - meaning rooms full of file cabinets containing documents from decades ago, ask yourself the hard question - is it necessary?  If it is - come up with a way to digitize the information you absolutely need to keep, invest in a document management system for quick recovery based on keyword searches, and shred the paper.  You will end up with more productivity as a result.

If you have frequent meetings that require face-to-face contact - consider any one of the popular web conferencing platforms - accept that you will have to pay for the convenience on a monthly or annual basis, and embrace the technology that makes it possible.  Most importantly, equip the WFH employee with the proper tools to make it work well.

Cost of Commercial Space:

Like most business owners, I cringe each time I sign the check for my monthly lease payment for our offices.  It is a necessary evil.  I ran NetWerks from my home for 12 years before moving into commercial space.  We had outgrown what we had to work with, so the move was necessary (or add on to the house - I opted to get the employees outta Dodge).  But - I miss the fact that my overhead was not as overwhelming a burden as it is with commercial space, utilities, etc.

What you are likely to see as more businesses embrace a WFH posture is that they will be able to downsize their commercial space needs to some extent.  You may even see a resurgence of "Executive Suites" that share phone services, receptionists, conference rooms, copy & print services and desk space for those times when you have to meet with people face to face or just need to get away from the home office for a while.

The Current Generation:

Having been in business for over 30 years, and being the parent of three 20-somethings, I can say pretty comfortably that the current generations have not bought into the concept of long term employment and loyalty to the employer..  And there is a simple reason for that.. those in the 35 and under range have seen their parents get kicked to the curb by employers despite a lifetime of loyalty.  They've seen promises broken and the devastation that it triggers within the family unit. You might say that they have hereditary trust issues.

On top of that, many in the younger generation find themselves currently on the lookout for something more challenging, or something that has purpose or a bigger meaning.  They want to make a difference - have an impact - and when that opportunity dries up with one employer, they move on to the next shiny thing.  The average time of employment for under 35's has been well studied, and is under 5 years.  In a 2016 Rasmussen College study, the average tenure of employment for 24 - 34 year old's was a paltry 2.8 years.

Among their complaints and reasons for job-hopping - professional development opportunities, having their input valued, and flexible work arrangements.

Equipping for Success:

This is the foundation of a successful transition to Work From Home.  If you are not wiling to invest in setting your remote work force up for success, just don't do it.  You will be shooting yourself in the foot.  But - it is not all on the shoulders of the employer.. The employee bears a responsibility to ensure that the WFH environment is conducive to conducting daily business.

Equipping for success starts and ends with..  Policy.  Develop a firm WFH policy that lays out articles of engagement that, if unwilling to comply, results in that employee being relegated to a daily commute to the office.  This policy should contain at the very least:

• A dedicated workspace separated from the general populace of the household - spare room, basement, converted attic..  it should not be located in a common area
• The space *should* have a door, preferably with a lock, especially if the individual handles confidential information, or at least a locking cabinet for secure storage of information and the understanding that no confidential material will be left unattended or unsecured
• High speed internet connectivity - if possible, isolated from the rest of the household network
• Adequate lighting and a reliable source of power
• Work related assets not to be used for personal purposes

From the employer's perspective, these should be non-negotiable.  Some have added items such as work attire being expected, set hours of availability, etc.  Tailor the policy to meet your corporate culture.

From a technology perspective, the employer should strongly consider providing the following:

• Similar technology to that used in-office.  If laptop is used - provide a docking station with dual displays, full sized keyboard and mouse, high quality web-cam and noise cancelling headset/mic.  If your office is equipped with Voice over IP (VoIP) Telephony -include a VoIP desk-set that connects directly in to your office system as an extension.
• If you do a lot of video conferencing, provide a portable green-screen and consider an acceptable list of backgrounds to use with the video conferencing platform on which you have decided to standardize
• Standardize on a videoconferencing platform
• Consider implementing a platform for secure file sharing
• Consider implementing a centrally managed system for password management
• Consider updating older applications that leverage cloud based tools to provide a consistent environment regardless of location such as Office 365

Other areas that would be a strong recommendation to ensure a secure WFH environment:

• High performance firewall or SD-WAN platform to ensure that business traffic does not mingle with personal traffic
• Create a standardized WFH Package of technology and offer a modest stipend to offset business use of home for added electrical/internet use
• Consider partnering with an MSP (Managed Service Provider) to do the initial set up and on-boarding of your WFH users, including a network security assessment, managed antivirus/threat detection and remote support options so that your employees are able to work with minimal interruptions

Conclusions:

The "New Norm" is upon us..  what we make of it will determine how we fare in the coming months and years.  Learn the lesson that states simply: If you don't lead change, you will be lead by it.  Get ahead of the shift in how business is done, remain agile, and the results will more likely be in your favor.  By embracing a positive work from home posture - one that has been planned in detail - you are likely to see better productivity as a result - possibly better than if you had an office filled with workers.  Most importantly - consider this an investment into the future growth potential of your company.  Spending some capital today may mean the difference in continued growth and a downward spiral.

Ransomware emails: How to identify

Ransomware emails: How to identify and steer clear of them

Ransomware attacks have suddenly become more prevalent. Each year sees more of them. Hospitals, NPOs, shipping giants, etc., have all been victims of ransomware attacks. Your business could be too! Did you know that emails are one of the most common gateways for ransomware to get into your systems? In this blog, we tell you how you can stay safe by following a few tips.

If you think something is amiss, it probably is

Does that email seem unfamiliar? As though you weren’t meant to get it, or it doesn’t quite sound like your colleague wrote it? Perhaps it’s not. Malicious email senders often try to mask actual email IDs with something similar. For example: An email you believe to have come from billing@yourvendor.com might actually be from billing@yourvemdor.com. So take a good look at the email ID if you spot something ‘phishy’.

Attachments and form fills

Does the email contain an attachment that you are being asked to save to your computer? Or an executable file that you are asked to run? Perhaps you are asked to submit your personal details at an authentic looking website. Before you do any of these, check the authenticity of the email and the message. Were you supposed to receive it? Were you expecting an attachment? You might even want to call the sender and confirm if you are unsure.

The message seems to instill fear or a sense of urgency

Often, malicious email messages urge you to take immediate action. You may be asked to log onto your ‘banking website’ ASAP to prevent your bank account from being frozen, or enter your ITR details onto a webpage to avoid being fined by the IRS. Real messages from your bank or the IRS will never force or hurry you to do something.

Other things you can do

Regular data backups

Conduct regular data backups so that in the eventuality of a ransomware attack, you don’t lose your data. Cybercriminals having access to your data is bad enough--it damages your brand and business reputation and can even attract lawsuits from parties whose personal information has been compromised, but, not being able to retrieve all that data in the aftermath of an attack is even worse. Regular backups help you in that regard, plus when you have a pretty recent data backup you are not reduced to the state of helplessness where you HAVE to pay the ransom to retrieve your data.

Install an anti-malware tool

Last, but not least, invest in anti-malware tools that can detect malware attacks and alert you before you fall prey to them. Such tools scan emails, links and attachments and alert you if they are found suspicious.

No matter how big or small a business you are, ransomware attack is a reality and applies to you. It is better to be prepared than having to cough up huge sums of money to free up your data later and even then there’s no guarantee your data will be restored by the cybercriminal.

The Hard Truth

The Hard Truth..

Whenever there is a crisis, the vultures and jackals will circle (and I mean no disservice to those vultures and jackals of reputable nature)..  In the days and weeks of the COVID-19 pandemic, the ner’-do-wells have stepped up their game, and cyber-attacks on businesses and individuals has escalated.  While this speaks to the baser side of human nature, that side that would maliciously take from others for personal gain, this post is not directly about that..

What this IS about is what we can do about it.

Sadly, many of us have the tendency to bury our heads in the sand and tell ourselves that “it will NEVER happen to me”.

Well, friends..  yes, in fact, it IS going to happen to you.  Maybe not today, perhaps not tomorrow.. but at some point, you will find yourselves in the cross-hairs of the enemy, and he ain’t flinching when he pulls that trigger.  Whether or not you are the recipient of a cyber head-shot or not is entirely up to you.

In the day and age of a heightened state of cyber-threats, the smart money is on ensuring that you have covered every base when it comes to securing your digital house from the jackals at the door.  As a US military veteran from the Cold War era, I could extol you with stories of the days of foreign agents in trench coats trying to turn people to the dark side.. and while some of the foundations are the same, the tools are far more sophisticated than getting a sailor drunk and offering fat wads of cash for information.

The concepts are not new, but the tools have evolved. Understanding the mechanics of the threat is vital to protecting our assets.  Too many examples exist of a “lock up after the bad guy has been and gone” mentality. One stunning example is the Equifax breach, but that is just one of many examples where the bad actor has been well entrenched. It’s time to have the hard conversation with ourselves about how much risk is too much?

Rather than spout a collection of buzz-words and fall victim to trendy posturing, we need to roll up our sleeves and get down to business. A deep assessment of where we are, and how do we prepare ourselves for those who would do us harm. For starters, we need to ask ourselves several direct questions:

• Are we ready to take security seriously?
• Do we have the right policies in place to educate, guide and hold our workforce accountable?
• What are our strengths, weaknesses, opportunities, and threats?
• Do we have the right people in place, both internally and externally, to make a move to a more secure footing?
• Do we understand the potential cost of doing nothing?
• Are the experts we are paying for doing the job? 

For many, especially in the SMB space, the answers to these questions can be an eye opening experience. No one is too small to be noticed.  No industry escapes the scrutiny of those of malicious intent. The key to a successful security policy is to understand that it is going to change. It has to be able to evolve along with the threats that are present - this means it has to be regularly re-evaluated.  There is no such thing as a once-size-fits-all policy.  Even the NIST Security Framework has components that may or may not apply to your organization.

Like in any 12 step program, the first step is accepting that you have a problem.  We ALL have a problem. Do we have the willingness to address it?  The important thing to understand is that you don't have to go it alone.

If you are ready to have that conversation, we are ready to help. With over 30 years in the information security arena, NetWerks is ready to guide you to a much more secure place.  Reach out to us through our web site to set up a no-cost, no-obligation meeting to get an idea where you are at.

How good is your password

How good is your password?

Did you know that having a weak password is one of the biggest security risks you face? This blog focuses on the best practices related to passwords that you can follow to ensure passwords are not your weakest link.

1. Avoid sequences and repetitions: How many times have you used passwords like dollar12345 or $$$BobMckinley. Passwords containing sequences and repetitions are just easier to hack.
2. Avoid using your personal data: Do not make your birth date, bank account number or address a part of your password. It puts your data at stake if your personal information is stolen.
3. Don’t repeat passwords: Make sure you pick unique passwords every time. Unique, not only verbatim, but also in combination. For example, if password one is a combination of number, symbols and letters in that sequence, password two should be letters, numbers and symbols.
4. Manual password management is not a good idea: Invest in a good password management tool. You can even find some free ones online. But, manually managing passwords, by writing them down on a spreadsheet is a big NO.
5. Password sharing: Discourage password sharing across the organization. Every employee should have unique access to data depending on their role and authority. Password sharing gets things done faster, but can do irreversible damage.
6. Password policy: Have a password policy in place and enforce it. Conduct timely audits to ensure the passwords match the specified safety standards. Also, take corrective actions against employees who don’t follow your password policies related to password sharing, setting, etc.
7. Don’t use dictionary words: Hacking software programs can guess dictionary words faster. The key is to mix things up a little bit--some numbers, some symbols, some punctuation and some alphabets.

Don’t choose passwords that are way too simple just because they are easier to remember, because, more often than not, it can get you into a lot of trouble.

Keeping your data safe: Access Control

Keeping your data safe: Access Control

Cyberattacks are a commonplace today. Malwares such as viruses, worms and more recently ransomwares not only corrupt your data or hold it hostage, but also inflict irreversible damage on your brand and business. As a norm, most businesses these days do invest in anti-virus/cybersecurity systems. But, is that really enough? The answer is--NO. Because, they often overlook one important aspect--access. Ask yourself, how easy is your data to access? How can you strengthen the walls that keep your data safe? Read this blog to find out.

Role-based access

Always follow a role-based access permission model--meaning people in your organization have access to ONLY the data they REALLY need. Generally, the higher the designation, the deeper the data access permission and stronger the rights. For example, someone at the executive level may not be able to edit your MIS spreadsheet, but a manager should be able to.

Formal password controls

No matter how good your cybersecurity, you need to ensure the protocols are followed at the ground level. Enforce policies regarding passwords strictly and hold violators accountable. Examples include-

• Password combinations - Ensure your staff follows the recommended best practices when selecting passwords so there are no ‘easy-to-crack’ passwords
• Password sharing - Thoroughly discourage password sharing across your organization. No matter who asks for it, passwords shouldn’t be disclosed unless authorized as per the protocols.

Don’t ignore physical security

Virtual security is a must, but so is physical security. Though there is only so much physical access controls can do in keeping your data safe in the BYOD era of today, don’t overlook this aspect. Installation of CCTV cameras on-floor, biometrics/card based access to your workspace/server rooms, etc. also have a role to play in data safety from the access perspective. 

Training & reinforcement

Finally, train...train...train. You need to train your employees on the protocols for data security and access so they don’t mess up accidentally. Conduct mock drills, refresher trainings, follow up with quarterly audits, and use positive and negative reinforcements to ensure everyone takes it seriously. Because, at the end of the day, no cybersecurity software is good enough, if the best practices related to data access are ignored.

Smaller firms less likely to keep up to date on the basics that protect them

Smaller firms less likely to keep up to date on the basics that protect them.

On the never ending problem of cyber security, small firms often do not have any/much in-house IT support. As a consequence, they may be less likely to be able to make sure their software is consistently updated to reflect any patches released by the product’s maker. This simple oversight, deliberate or not, is a major source of data breaches and ransomware attacks.
Think back many years to when Microsoft pulled the plug on maintaining Windows XP. Many users refused to upgrade because there were afraid of losing compatibility with other software programs, the unintended consequences of moving to a new OS, or just not being sure how to install an upgrade. Whatever the issue, it meant those users had an operating system that was no longer updated to reflect the latest security fixes. Their operating system became an unlocked gate.

You may not be scared of technology, but as a small business owner, tracking the release of new updates or taking the time to install them as soon as they come out probably just isn't a priority. You have a business to run. Adding to this problem, you may also allow your employees to use their personal laptops, mobile devices, and tablets for work duties. If that is the case, then every program on each of those devices is subject to the owner’s willingness and ability to update everything in a timely fashion. If any single device accessing your corporate files and data misses a security patch and is breached, so is your business.

The lesson here is that you need to take action to implement a company-wide process for maintaining all of your software applications so they don’t become an unlocked door in the middle of the night. A managed service provider can develop a plan to address update and security fixes on all the devices that access your data. It can be more than a small business owner can handle, so instead of ignoring the problem, reach out to find real solutions that will protect your business.