A Dynamic Network for a Dynamic Place: IT Support for a St. Louis Nonprofit

Every system your business uses needs tweaking over time. Employees come and go, technology advances, and you may find yourself facing unexpected issues as you balance your business’s vision with the changing technological tides.

Such was the case for Crown Center for Senior Living, a residential retirement community in St. Louis and one of our managed services clients since January 2018. From its founding over 50 years ago, Crown Center has grown tremendously from its start as a nonprofit affordable housing community for Jewish residents of University City.

“Our main mission is independent living for seniors,” says Theresa Dattilo, Office Manager at Crown Center. “Over the last couple of years, it’s really evolved to be a community center.” The community is an activity hub for more than just its residents. “People in the community can come here and take an exercise class, eat in the café, or take an art class. There’s always people going on trips, people doing gardening,” she explains. “It’s really a dynamic place to be!”

The influx of activities and participants meant that Crown Center relied more than ever on its online means of communication. Reaching a larger group of people required strong cyber security and reliable hardware and connections. It was time to reevaluate their previous approach to IT.

Choosing an IT Company

Before Crown Center partnered with Anderson Technologies, they’d been with the same company for ten years. “I think our needs evolved over time,” Dattilo says, “and we found they weren’t meeting our needs anymore.”

Crown Center’s server and firewall weren’t being updated, which can create network security holes on top of reducing hardware functionality. Their IT support line offered help when necessary, but Crown Center needed more than just a break/fix approach. They started looking for someone who would take ownership over their infrastructure.

“We took a pretty long time to decide which company to go with,” Dattilo admits. After narrowing the proposals down to six companies (Anderson Technologies included), it was difficult to compare them and decide which would be the best fit for Crown Center. “While I did that, Mark [Anderson] had called me a few times just to check in…. He wasn’t being a pest or anything but wanted to see if we needed any other information. That was helpful.”

But how Anderson Technologies really impressed Crown Center was through proactivity. By offering to conduct a thorough infrastructure audit “Anderson did something that no other company did,” Dattilo says. “It gave us a lot of good information about the status of our security and how our backups are working and the hardware, our remote access.” Offering an infrastructure audit with no strings attached—and making sure Crown Center fully understood their technology needs—made Anderson Technologies the clear choice for IT support.

Bolstering the Firewall

The first project on Crown Center’s to-do list was tackling their outdated firewall. Firewalls are a business’s first line of defense, but many users fail to realize they need to be monitored, maintained, and updated in order to work most effectively. The firewall established by Crown Center’s previous IT support company hadn’t been regularly updated, wasn’t running any type of internet content filtering, and didn’t provide the granular reporting data necessary to quickly detect network activity. This left any machine with internet access more vulnerable to malicious sites and programs.

Also, the team was unfamiliar with the firewall manufacturer. “I was a little concerned because they said they had never heard of it,” Dattilo says. “You know most of the tech people all use the same equipment, or they at least know the name of it.”

Anderson recommended a new Meraki firewall, a trusted name in enterprise-grade security. This cloud-based management system makes maintaining cyber security and providing IT support easier for our managed services team. “Now that we’re getting updates as they’re released by Meraki, we’re not worried about any security issues,” Dattilo says. “We know that they’re watching.”

Reconnecting with Wireless

Crown Center officially became an Anderson Technologies client at the beginning of the year, which meant tax season was approaching. This made their connection issues that much more urgent. “Every year,” Dattilo explains, “we have about six to eight people from AARP that come here to do taxes. They do taxes for the community and for our residents. Every year, they have connection issues.” Each AARP representative used their own computers, all with varying operating systems and update schedules.

Anderson sent in reinforcements to help during this time. Joseph Baker, Anderson Technologies’ System Administrator, spent a couple of days at Crown Center providing onsite IT support for the visitors from AARP. Dattilo was grateful to see their connection issues finally resolved: “I had someone who was going to take care of these people instead of them all just looking at me saying ‘I can’t get the internet.’”

Since then, Anderson replaced Crown Center’s Wi-Fi networking equipment with four new wireless access points that provide reliable connections for the entire facility. Crown Center gratefully acknowledged our onsite IT support in their time of need. “It really gave me a sense that these people are being taken care of, we’re being taken care of, and that our partnership with AARP was important, and the community members who signed up to get their taxes done were able to get them done,” says Dattilo.

Sprucing Up Hardware and Software

One technological issue that often catches our clients by surprise is how quickly hardware and software become obsolete. Many organizations budget for equipment upgrades but struggle to know when and where to implement those changes. “Each year we replace about three to five computers,” Dattilo says. Even though she keeps an updated spreadsheet of the staff’s machine specs, it’s not always easy to know which computers take priority.

Taking into account Crown Center’s budget and planning, Anderson Technologies put in place a system to replace a portion of the facility’s computers every year as a part of the managed services contract. “That’s a great feature,” says Dattilo. “That way we have new technology, and nobody’s computer is going to be more than five years old.” She’s currently working with Senior System Administrator Eric Dischert to decide the best placement for Crown Center’s new hardware for this year.

Along with complete IT support, St. Louis’s Anderson Technologies experts are always scouting out current tech news so our clients can benefit from technological advances as soon as possible. Crown Center had always purchased their software licenses from a retailer that offered discounted rates for nonprofit organizations. However, when Crown Center applied to upgrade their computers from Microsoft Office 2010 to Office 2016, Microsoft had changed their volume license qualification criteria and denied their application.

Software licenses are an expensive investment for most organizations. “We worked every angle we thought we could work,” Dattilo recalls. “That’s been a tricky thing to navigate.” To provide the staff with up-to-date software on a reasonable budget, Dischert worked to acquire five licenses and found an alternate solution.

The Best IT Support St. Louis Has to Offer

Anderson Technologies remains committed to Crown Center’s mission and priorities as it continues to cross projects off Crown Center’s checklist. Crown Center’s approach to IT called for a managed services provider that would hold themselves accountable for balancing innovation with functionality and budget. “We’re never going to be the first organization to try a new technology, but we don’t want to be the last one either,” reflects Dattilo. “I’d say we’d like to see what the early adopters discover, let the bugs get ironed out, and then we would jump in and start to have one or two people try something new.”

Recognizing this, Anderson Technologies’ focus has been and continues to be engaged, proactive service. Projects like hosting Crown Center’s website allow staff to focus on the community instead of worrying about what happens if their online communication becomes unreachable.

Dattilo has always been the go-to staff member for issues like these, so the convenience of both on-site and remote IT support alleviates her role as the tech support middleman. “Before if people contacted me I would be the contact with our old IT company because we had so many hours a month that we were charged for,” she explains. “I wanted to make sure that we were [only] charged for important issues. Now if there’s an issue I have them call you guys because there’s a record of it, and I don’t have to be the contact anymore. It’s very helpful.”

Not only does Crown Center’s nonprofit mission enrich the lives of the 300+ families they serve—it satisfies a need for engagement in St. Louis’s community. Anderson Technologies is proud to play a part in this organization’s important service. “You guys have brought some good technology to the table,” Dattilo says, “and we’re glad to be one of your clients.”

For more information about how Anderson Technologies can revolutionize your organization’s IT infrastructure, sign up for a free consultation or call us at 314.394.3001.

Don’t Hold the Door Open for Cyber Criminals

Here in St. Louis, you’re likely to hear people saying they’re heading to Bread Co. for lunch, even if Panera is the sign above the restaurant. That’s because to St. Louisans, Panera will always be Saint Louis Bread Company. But recently, residents were relieved the St. Louis name wasn’t attached to Panera’s recent cyber security blunder.

On April 2, Brian Krebs of security news website KrebsOnSecurity broke the story that customer data from Panera’s loyalty program—including names, email and physical addresses, birthdays, and the last four digits of credit card numbers—was available through an insecure API on their website. Worse yet, Panera had been notified about the defect eight months prior in August 2017 and did nothing to resolve the problem.

Cyber security researcher Dylan Houlihan found the flaw in Panera’s API and, after confirming the extent of the problem, contacted Panera’s cyber security team. He notes that reaching out to Panera was difficult as there was no information available for who to contact if security holes were found. Panera’s response was less than stellar. In Houlihan’s detailed account of their communication, Panera’s director of information security, Mike Gustavison, was suspicious of him, and after receiving proof of the problem, took several days to reply that they would work to resolve it.

Except they didn’t.

Every month, Houlihan checked to see if the flaw was fixed, only to see that customer data was still unprotected. Finally, in April 2018, he contacted Krebs to make the matter public and force Panera to respond. They did. Within two hours Panera claimed they patched the problem.

Except they hadn’t.

Krebs continued to monitor the website and found that, while the information was no longer accessible to the public, if a member logged into their free Panera account, they could still exploit the flaw. He also discovered that it extended to other parts of Panera’s business, such as the catering website.

After the negative media coverage, Panera took down its website and patched the problem properly. In a tweet following the incident, Krebs estimates that up to 37 million accounts could have been made public because of this flaw. While there is no evidence yet that malicious agents accessed the data, this was still a terrible security breach.

How Often Does This Really Happen?

It’s easy to lose the details in light of Panera’s poor response and subsequent inaction, but accidental data breaches from misconfigured hardware or software happen far more often than you might imagine.

  • March 6, 2017: River City Media left more than a billion email accounts exposed to the public, some with personal information. Also exposed were detailed records of their own illegal spamming activities. The problem—no password protection on the backups.
  • June 19, 2017: Deep Root Analytics left millions of Americans’ addresses, birthdays, phone numbers, and political views on a variety of topics open to the public. The problem—misconfigured user permission settings.
  • October 3, 2017: A National Credit Federation cloud storage bucket was found to be open to public access, revealing personal, credit, and financial information of tens of thousands of its customers. The problem—misconfigured user permission settings.
  • October 6, 2017: An Alteryx cloud storage bucket was found to be accessible to anyone with a free Amazon Web Services account. It exposed personal data, Experian marketing data, and US Census data for more than 123 million American households. The problem—misconfigured user permission settings.
  • April 9, 2018: A flaw similar to Panera’s was discovered in P. F. Chang’s rewards website. The problem—an insecure API.
  • April 23, 2018: After rebuilding their website following a ransomware attack, MEDantex’s new customer portal contained abilities intended only for employees, including accessing confidential patient records without authentication. The problem—a bug on the website.
  • May 17, 2018: LocationSmart’s demo feature is found to be able to track the location of almost any cell phone without the user’s consent. The problem—an insecure API.

What Does This Mean for a Small Business Owner?

These examples of private, financial, and personal information leaked unintentionally serve as a warning to all business owners. While there’s a sense of poetic justice that River City Media revealed their own criminal activities by forgetting to add a password, the truth is, not all data you could reveal belongs to other people. You can be a cyber threat to your own business.

Few businesses can run day to day without some amount of personal, customer, or vendor data stored either on their network or in cloud storage. The technicalities of properly configuring security for these electronic databases can be daunting, but even when things appear to be simplified for you, all it takes is one open port, one missing password, or one unsecured application for the door to your data to be left wide open.

This is why it’s vital for businesses to have their systems set up by IT professionals and to perform network security audits routinely to ensure both the hardware and the software are configured correctly. It’s not enough to simply hire an IT consultant once and assume your system is secure. Files get moved, employees are hired, and new hardware is installed—all leaving room for new settings to supersede old ones, or worse, be forgotten all together. A network security audit performed at least annually gives you peace of mind that your cyber doors are tightly closed and locked.

What Should You Do to Protect Your Business?

While it’s crucial to know how to avoid opening the door to criminals, knowing how to respond to a breach is just as important. Here are a few simple steps you can take to avoid or address an accidental data breach.

  1. Hire IT professionals to set up all hardware and software. Your customers trust you to be the expert in your field, so trust the IT professionals to be the experts in theirs. Make sure all your hardware and software have been properly configured from the start.
  2. Perform annual network security audits. Just because you configured everything correctly, doesn’t mean it will stay that way. Your business changes all the time, so it’s best to check the doors and windows before someone else notices they’re open.
  3. Know your hardware. Many business owners don’t realize what’s in their hardware closet. Can you point to your hardware firewall with confidence? Are you certain it’s the correct type for your business? Ask an IT professional to review your hardware with you so you understand what you need and how it works. Doing so will improve your ability to spot potential problems.
  4. Have a way people can contact you about problems they find. One lesson learned from the Panera breach is how important it is that people can contact you with problems they’ve noticed. Many security researchers who find flaws due to misconfiguration just want you to know about the issue so it can be resolved. Make sure they can get in touch. Larger companies should have separate contact information specifically for security issues to keep them from being lost with other routine technical issues customers might have.
  5. Respond quickly to any problems found. Don’t wait eight months or for public embarrassment to sound the alarm before responding to an accidental data breach. If you act swiftly, your data may still be kept safe. In many accidental breaches, the problem was found not by criminals but cyber researchers.

No company wants to find themselves in a situation like Panera’s, so make sure your network security is done right. If you’d like to learn more about configuring your systems or to schedule a network security audit, contact Anderson Technologies by phone at 314.394.3001 or by email at info@andersontech.com.