4 Strategies for Boosting Your Nonprofit’s Online Presence

The world of technology and the internet can look very different from a nonprofit organization’s perspective. With a board of directors, budgets, and often limited personnel, properly vetting and implementing new technology can be a daunting task.

In the first of our series of blog posts focused on technology and nonprofit organizations, we take a look at the best tips to help grow your nonprofit’s digital presence. Here is some of what’s new in the world of the web and social media that can help your organization succeed.

Make the Internet Work for You

What does your nonprofit’s web presence look like? Is it a seldom-updated Facebook page? A website that hasn’t seen a major overhaul in years?

The internet is all about visibility, reliability, and holding a user’s attention. Once you establish these, client and donor engagement should follow.

Visibility

If a potential donor uses Google or Bing to search for your nonprofit, what will they find?

Search engines now seek to provide the smart answers. They try to answer a search’s intent, and they try to do it well. As search engine algorithms have evolved, so has the field of search engine optimization (SEO). For your website, the process of SEO implements what Google or Bing’s algorithms are looking for in your nonprofit’s category. Sites that maximize their SEO show up higher in search results.

The first step to visibility is actually having a web presence, which means having not just a Facebook or LinkedIn page, but also a well-maintained website. A pre-formatted site from a provider like WordPress or SquareSpace can serve your purpose, if done well.

The number one way to build your digital presence is to have one! Make sure you have a website, and keep it updated.

Reliability

The second step is optimizing your presence. When is the last time your web presence was updated? Search engines look for sites that are regularly updated. A site that hasn’t been touched quickly drops in rank compared to other sites that discuss the same topics. Even name recognition goes down when tied to a stagnant web presence.

How accurate are your listings? All websites, Facebook pages, and directory information should point to the same location, hours, and phone number. Consider the clients. If there are two or three addresses listed, where should they go? Many will seek another solution, rather than attempt to navigate a confusing one.

Inaccurate or missing information is a signal to search algorithms that your site probably isn’t the most reliable source for information. The ultimate reliable website shares everything a user needs to know in an easy-to-navigate menu with mobile-friendly formats and inspires confidence in your nonprofit as a result.

Google yourself! Does all the information that comes up point to the right place, times, and contact information?

Attention Grabbers – and Keepers

No one is suggesting that your nonprofit become the next Buzzfeed, but a website user who is interested in the information on your site stays longer, visits again, shares information with friends, and —most importantly—can become a client, volunteer, or donor.

Entertainment doesn’t have to mean flashy videos. Think about what a visitor to your website wants to see. Your site should be easy to navigate, provide clear information, and answer potential questions. The nature of search algorithms (the higher a site ranks in search, the more people visit, the longer the visits, the more trust the algorithm has in a site, the higher a site ranks in search, etc.) means it’s important that visitors don’t just click once and are done.

Because of the personal and often life-changing impact nonprofits offer, you have a unique opportunity to keep website visitors interested and engaged. Personal stories about real people can spur volunteers and donors into action. They are also a wonderful source of content for social media.

Provide the information visitors need, and then give them a reason to keep reading.

Stake Your Claim in the Social World

Think of social media as free advertising. Searches for organizations and people are not just done on search engines, but on platforms like LinkedIn and Instagram. Presence on social media not only gives you a place to post updates, advertisements, and success stories, but also helps build a complete profile of your organization.

If you are a total stranger to social media, getting started may seem daunting. But as discussed above, SEO makes or breaks online visibility. Algorithms, whether Google’s or Facebook’s, determine what users see when they type in a keyword or the name of a nonprofit. Active social media accounts inform those algorithms that the page is active and that it has a better chance of containing the answer to a searcher’s query. An up-to-date listing on Facebook or Google My Business assures algorithms and users alike that an organization is legitimate.

As of this posting, there are several social media platforms that you should be aware of, but don’t feel pressured to maintain an active presence on all of them. While each can benefit your nonprofit, the audience and method of posting on some may not be a good match for you. While there are free services that allow for cross posting to different platforms at the same time, what works on Facebook or LinkedIn won’t fare well on Tumblr. The best course of action is to tailor content to the platform on which it is posted. Here’s a list of the most popular social networks for you to consider:

  • Facebook. Almost universal in usage. Perfect for sharing information and news, and establishing your brand.
  • Twitter. Essential for the plugged-in audience. Popular hashtags come and go in the space of hours, so participation has to be constant. Quips and memes perform well in this space.
  • LinkedIn. Professional space for news sharing, updates, and networking. Can be used to connect with high-profile individuals and to share your message in the nonprofit field.
  • Instagram. An image-based network. Telling your story through pictures can give you access to a whole new audience.
  • Tumblr. Fast-paced, meme-centric, and a must-visit for an audience of teens and young adults.

Once you have a successful social media account, you no longer have to do all the work yourself. Followers will use the space as a place to congregate, sharing your posts and your story with their own circles and granting you exposure you wouldn’t have otherwise.

Establishing and improving your internet presence is just the beginning of our nonprofit-focused blog series. Stay tuned for our next blog all about the cloud! Do you represent a nonprofit that is in need of managed IT services? Contact Anderson Technologies today at 314-394-3001 or info@andersontech.com.

Risk Assessment

HIPAA Part 4: Risky Business

No matter the size of your practice, compliance with the HIPAA Security Rule is a serious undertaking. In order to fix a problem, you must first know it exists. That’s why the Risk Analysis and Risk Management implementation specifications are the foundation of your security compliance efforts. We touched on risk management in Part 2 of our HIPAA series, but in the next two articles we’ll be digging into the Risk Analysis and Risk Management implementation specifications more thoroughly with tips and tools to help you through the process.

The importance of performing a thorough risk analysis and coming up with a risk management strategy cannot be overstated. Throughout this article there will be links to resources to help you decide how best to perform your risk analysis. If you’ve never performed a risk analysis, we strongly suggest going over those resources first.

What is a Security Risk Analysis?

While much of this article presents an outline of how to conduct a Security Risk Analysis (SRA), it first helps to understand what an SRA is. Identifying that a problem exists—or could exist—is crucial to fixing it, preventing it, or making it as safe as possible. That is the purpose of the SRA.

An SRA is ultimately a process that allows you to analyze the way your company approaches risk and see how all areas of your business or organization—from policies and procedures to technical implementation—influence each other. It creates lists of threats, vulnerabilities, and threat events which could impact not only your organization, but your patients, customers, or vendors as well. Once you understand the risk in your daily business functions, finding a solution to keep them secure and operational is much easier.

Threat: the potential for a person or thing to trigger or exploit a vulnerability.

Vulnerability: a flaw or weakness in the system security procedures, design, implementation, or internal controls that could be accidentally triggered or intentionally exploited and result in a security breach or a violation of the system’s security policy

Threat Event: how a particular threat could trigger or exploit a specific vulnerability

(NIST 800-30)

The SRA process is complicated and can require a substantial investment of time and effort to complete, depending on the size and scope of your business. But when it’s finished, the SRA will provide you with a blueprint for the future. It identifies areas that are protected, areas that could use some fixing, and areas that are desperately unprotected. This allows you to prioritize your needs and create a risk management strategy specific to your environment. And when going through your HIPAA Security Rule compliance, there’s no better tool than an SRA.

Why Do You Need an SRA?

For HIPAA, you must conduct a targeted SRA. §164.308(a)(1)(ii)(A) requires an “accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information. . . .” The key to this is the specification of electronic protected health information (ePHI).

Since the Security Rule only deals with ePHI (where the Privacy Rule handles all PHI), the SRA only needs to focus on the ways in which ePHI is created, received, maintained, or transmitted. Including or performing a second SRA to include all PHI and the ways it could be improperly handled or disclosed would be best practice to assess your policies and procedures regarding non-electronic PHI, but it’s not required under HIPAA.

It’s important to remember that ePHI involves far more than an electronic health or medical record system.  It includes all types of electronic media hardware that can create, receive, maintain, or transfer ePHI, as well as software such as appointment calendars or billing databases.

While it can only help your organization to conduct a business-wide risk analysis, the targeted scope of ePHI under HIPAA narrows what you need to assess. Don’t narrow your field too much, though. The cost of insufficient or non-existent SRAs and risk management plans can lead to data breaches and serious fines.

According to the Office of the National Coordinator (ONC) for Health Information Technology, simply filling out a checklist is not enough to complete an SRA or count as proper documentation of one under HIPAA. You can learn more about common misconceptions about the SRA at the ONC’s website.

Guides and Tools to Help You Conduct an SRA

While no tool can replace a thorough and accurate SRA, there are plenty to assist you during the process. The ONC recently released an updated version of its SRA Tool that you can download to help identify areas that may need improvement. They also have video tutorials like the one below and interactive games to test your knowledge of both privacy and security requirements.


ONC’s overview of the Security Risk Analysis

There are also numerous guides to help you better understand the process of risk analysis and management. Besides what we’ve mentioned in previous articles (the Department of Health and Human Services’ (HHS) HIPAA Security Series, and NIST’s Introductory Resource Guide—Appendix E), both the ONC and the HHS have overviews of the process.

For detailed explanations of the risk analysis and management process, NIST published two separate guides: SP 800-39 Managing Information Security Risk and SP 800-30 Guide for Conducting Risk Assessments. These are not specifically geared to HIPAA’s SRA, but the level of information provided is far more complete than many of the HIPAA-specific guides. We recommend that you read SP 800-39 before SP 800-30. While SP 800-30 offers greater detail about specific parts of the risk analysis process (especially in the appendices), SP 800-39 is more reader friendly and a good foundation for SP 800-30.

How to Conduct an SRA

Like all parts of HIPAA, scalability and flexibility are at the core of the SRA. A two-dentist practice isn’t going to need the same kind of SRA as a large nursing facility, so HIPAA doesn’t dictate the exact steps to conducting an SRA. However, all thorough and accurate SRAs will go through similar steps and feature key information, no matter the format you choose. As always for HIPAA, document each step for the final SRA report.

Note: While going through the steps, it’s important to remember to look at risk from an organizational perspective (business-wide policies and procedures or budgets), a business function perspective (billing or patient care), and an informational systems perspective (settings on specific technology or hardware purchases). Another way to look at this would be administrative, physical, and technical lenses to match up with the HIPAA safeguards (though, if you prefer HIPAA terminology, keep in mind that physical isn’t perfectly analogous to business function.)

Step 1: Gather a Team

An SRA shouldn’t be performed by one person. Business owners or senior leadership should work together with management and IT experts during the SRA process. Not everyone sees risk the same way, and having a knowledgeable team ensures that your SRA will identify risk from all necessary perspectives.

Step 2: Determine the Scope

In this case, HIPAA has defined the scope for you in §164.308(a)(1)(ii)(A): “the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information” wherever it is created, received, maintained, or transmitted.

If it holds, accesses, or transmits ePHI, it is part of the SRA. For some businesses this will be a lot to cover, while others may only reference a few systems. And while the scope could be increased to include all PHI, it shouldn’t be reduced.

Step 3: Create a Risk Analysis Framework

A risk analysis framework isn’t required for an SRA, but it’s a useful tool to maintain consistency and avoid ambiguity between those preparing the SRA, those implementing it, and those conducting future SRAs. Since few people see risk the same way, the framework creates a clear set of assumptions, constraints, risk tolerances, and priorities/tradeoffs that will determine how your business manages risk.

Many of these terms appear in later steps, but they’re not used in the same way. In the framework you explain how to identify and respond to the risk factors, while later you use the framework to actually identify and respond to the risk. The framework puts everyone on the same page so that each person knows what to look for, how to judge the risk, and how to manage that risk appropriately.

The framework should also dictate the methodology you use to conduct this and future SRAs. This can be qualitative (high, medium, low), quantitative (numerical quantities), or a mix of both. Not all risk can be numerically quantified (# of individuals affected vs lost reputation—the first can be counted, the second cannot), so a qualitative or mixed approach can be more useful.

If you choose to skip the framework step, much of this information will still need to be explained in later steps to satisfy documentation requirements, and you won’t have it readily available for subsequent SRAs.

Step 4: Gather Data

In order to determine the risk to ePHI, you must first determine where it is stored, received, maintained, and transmitted. And while this encompasses a great deal more than physical hardware, having a record of the physical hardware and its movements is a part of the Physical Safeguards (§164.310(d)(2)(iii)—Accountability). This is especially important as more and more healthcare settings utilize portable electronic media, such as tablets or laptops.

Think of the flow of ePHI. Where does it begin in your business? Do you create it or receive it? Follow it from its starting point to endpoint and document what systems each piece of ePHI interacts with. Depending on your business, this could be only a few pieces of software and hardware or it could be most systems in the office. Either way, you need a complete list in order to conduct a HIPAA-compliant SRA.

Step 5: Identify and Document Potential Threats and Vulnerabilities.

This could be considered one step or two, depending on how you decide to conduct your SRA. It may be simpler to identify potential threats and vulnerabilities separately, but you may find that as you identify a threat, you also identify the vulnerability it could exploit and vice versa. It is up to your team to decide the best method.

If you’ve already created a framework, you’re ready to identify threats and vulnerabilities. If not, take some time to decide what you’re going to consider a threat or vulnerability, how you’ll identify them, and what sources are valuable to work from during the process.

Sources of information could include past SRAs, business security reports or testing, known breaches of similar institutions (Breach Level Index, OCR Breach Report), the security community’s public lists and advisories (National Vulnerability Database, National Checklist Repository), information from vendors, and your managed services provider or IT staff.

As always, remember to document everything.

Threats: One important thing to note when starting your list of potential threats is that you are not required to list all potential threats. You must list all reasonably anticipated threats to ePHI. Having valuable sources of threat information is important, because you don’t want to waste time or resources on a threat that will never affect you, such as a hurricane if you’re nowhere near the ocean.

At this point you’re not looking at whether or not you’ve already mitigated the risk of such threats affecting ePHI. You’re only considering if it is a reasonably anticipated threat. And threats aren’t just about whether someone steals your data for misuse, but whether you can verify the integrity of your ePHI and have it available when you need it.

Vulnerabilities: When dealing with ePHI, it’s easy to think of vulnerabilities as technical problems. Non-technical vulnerabilities cannot be overlooked, and could even be the root problem to other perceived vulnerabilities. A lack of policies and procedures on how to securely set up new hardware or a budget that doesn’t meet the demand of current threats could lead to a number of technical vulnerabilities through misconfiguration of security settings or poor hardware purchasing. This is why a team is important for looking at both the big picture and the small details.

Step 6: Assessing Security Measures

Now that you have a complete list of threats and vulnerabilities, it’s time to see what security measures you already have in place to protect ePHI. Small- to medium-sized business have a greater degree of control over their environment, which is an advantage in mitigating risk. Like vulnerabilities, security measures can be both technical and non-technical, and should be looked at from all perspectives. When documenting, also identify that all technical security measures are not only there but also configured and utilized correctly.

Step 7: Determining Risk

In order to determine risk, it’s time to put the threats and vulnerabilities together to create a list of possible threat events. This is not a strictly one-to-one pairing. A single threat might affect multiple vulnerabilities, and a single vulnerability might be affected by multiple threats. (For more guidance on threat events, see Appendix E of SP 800-30.)

For each threat event, you must determine the likelihood of it occurring and the impact it would have on ePHI and your business if it did. Likelihood is the probability that a threat event will occur.

Below are examples (both qualitative and quantitative) of how you could determine likelihood and impact. Depending on your business’s risk tolerance, you might add more levels beyond high, medium, and low.

The impact of a threat event can be felt across different levels. The most obvious is the direct breach to ePHI’s confidentiality, integrity, and availability, but impact can also be felt in the loss of revenue from a damaged reputation, the cost of fixing the effects of the threat event, time and effort spent dealing with regulatory audits, and other intangible results. Below is an example of how you might measure impact.

Level of Risk

Accurate assessments of the above are vital to determining the overall level of risk posed by a threat event because risk is a combination of likelihood and impact. For example, if the impact is high but the likelihood is low, then the overall risk would be low. The clearer the definitions in the framework of what constitutes the levels of likelihood and impact, the more accurate and consistent your evaluations of threat will be. Threat matrices (such as those in Appendix I of SP 800-30) can be used for both qualitative and quantitative methodologies.

Step 8: Document and Manage Risk

If you’ve kept up with your documentation, the final SRA report should be simple to put together. Appendix K of SP 800-30 offers a base template for writing an SRA report, but you should tailor it to your business’ needs. In general, it should include all the lists you’ve made, as well as the reasons for your determinations and how you plan to use this information.

The final task of an SRA is to develop a risk management plan. HIPAA understands that risk cannot be wholly eliminated, but it should be reduced to reasonable and acceptable levels. Conducting an SRA and implementing a risk management plan become the foundation for implementing the rest of the Security Rule’s safeguards. In the next installment of our HIPAA series, we’ll look at how to use your SRA to create a risk management plan.

If you’d like the IT experts at Anderson Technologies to be a part of your risk analysis team, contact us today at 314.394.3001 or by email at info@andersontech.com.

5 Tasks to Tackle: Prep Your Business for 2019

Don’t wait until the last minute to prepare your small business for 2019!

The end of the year is a busy time. Small businesses especially need to have a plan for growth in place well before the New Year. Taking detailed stock of your operations helps uncover improvement opportunities and provides ideas.  Our “5 Tasks to Tackle” will help rocket your business forward.

  1. Assess Your Business

Properly preparing for 2019 involves taking a step back and looking at the big picture to determine if any operational changes are needed. If you’ve never performed a SWOT analysis (Strengths, Weaknesses, Opportunities, and Threats) on your business, now would be a great time to do so! This strategic process illuminates avenues where your business can expand, highlights areas previously neglected, and reveals what your clients are demanding. Whole-business reviews shed light on issues pushed to the backburner.

  1. Audit Your Hardware and Software

2019 is the last hurrah for popular older applications and operating systems.  Microsoft’s extended support for Windows 7 stops on January 14, 2020.  Adobe Flash reaches end-of-life on December 31, 2020.  If you’ve been holding out on upgrading, act now before you’re forced to scramble.

Hardware always breaks down on its own schedule, and it never happens at a convenient time. Keeping your hardware monitored and upgraded prevents unexpected crashes. We recommend replacing your hardware every 5 years at a minimum to keep pace with newer technology and reduce the risk of unexpected hardware failures.

Are you using updated versions of important software? Are there other programs that could do the same work more efficiently or save you money on licenses?  Take stock of your needs and plan for the necessary budget to replace equipment in an organized fashion.

If your business would benefit from hardware or software upgrades, the end of the year is a great time to take advantage of an IRS Section 179 tax deduction (consult your tax advisor for applicability). Splitting the hardware and labor costs between fiscal years may also be a beneficial consideration.

What about storage? Are your computers’ hard drives cramped? Are physical records filling your office space? Move towards a paperless office and further protect that digital storage by implementing cloud services.

  1. Improve Your Web Presence

When is the last time you took a good, long look at your website?  These days, if your website isn’t built on a framework that supports mobile devices or if you don’t update it regularly, your search result rankings suffer for it.  A neglected website may also inadvertently send the wrong message to potential clients.

How does your site perform in search results? If search ranking is lacking, it may be time to look into SEO (search engine optimization) best practices. Google now flags websites without a properly installed SSL security certificate as unsecure; this affects page rank and traffic in search results. Partnering with a development team helps ensure your web presence reflects the true excellence of your business.

On March 25, 2018, GDPR (General Data Protection Regulation, passed in the European Union) went into effect. If your site receives visitors from the EU, you are held to this standard and expected to comply with changes. GDPR centers on protection of user information. For most sites, compliance is relatively simple, and a knowledgeable GDPR compliance developer can perform a quick audit to identify the updates needed to bring your site up to par.

  1. Audit Your Backup and Security Policies

Have you audited your backups this year by performing a test restore to confirm everything is functioning accordingly? In case of a ransomware attack, do you have hourly on-demand backups in place? Disaster recovery protocols need management and oversight, but it’s easy to forget them because they tend to be out of sight and out of mind – until something bad happens.

Passwords should be updated regularly. Do you have a policy in place for changing passwords on a cycle appropriate for your industry (especially if your business needs to comply with HIPAA regulations)? The importance of updating passwords cannot be stressed enough. Recently, the National Institute of Standards and Technology released new Digital Identity Guidelines that drastically altered what constitutes a strong password.  While we’re waiting for internet protocols to catch up, password managers such as LastPass can help keep track of complex passwords across various websites.

Did you know 1 out of 9 employees (and 1 out of 4 nonprofit workers) spend time working from home or on the go? Is your business prepared and secure enough for this expanding number of teleworkers?

When was the last time you took a close look at your office security policy? What about communications?  Take this time to assess your technology policies and ensure your business is ready to start the new year capable of handling any opportunities that come your way.

  1. Review Your Social Media Strategy

Social media may seem daunting at first – but start small, and it will become a natural part of your marketing routine.  Ask yourself some questions before you begin: What platforms make the most sense for your business?  How can you represent your organization in a fun and engaging way?  Does a blog seem like a good way to reach out to potential clients while simultaneously increasing your site’s search engine optimization ranking?

As our world becomes increasingly internet-based, your business needs to make a strong digital first impression.  Maintaining a social media presence on the web, even if it’s on a single work-focused site like LinkedIn, provides an opportunity to tell potential clients who you are.  Perform a search for your business online and take control of its narrative.  Encourage current happy customers to post a review on Google or write a testimonial for your website.

Don’t feel compelled to implement a massive new strategy that involves updating five or six different social platforms every day.  Do what makes sense for you and balance your time, but don’t neglect this powerful tool to reach out to those who would benefit from your products and services.

 

Don’t wait for 2019 to prepare your business for growth in the New Year!  These five tasks will take your business a long way.  Build your own successful strategy and allow our team to assist you. Anderson Technologies performs an infrastructure audit annually for its managed services clients.  Our team of experts can take a fresh look at your business and make sure you have the right technical solutions in place to support your company’s goals for the coming year.

If you don’t already receive IT services from Anderson Technologies, contact us today to schedule your free initial audit!  Call 314.394.3001 or email info@andersontech.com now.

Get Hip to HIPAA!

Even if you’ve never worked in the healthcare industry, you’ve probably heard of HIPAA. An appointment to get your teeth cleaned comes complete with a slew of forms that include your rights according to HIPAA.

But can you explain what HIPAA is and why that form is necessary? We often sign and date and move on, knowing it relates vaguely to what our care provider can do with our private health information.

HIPAA includes a lot more than you may realize, and if you work with Protected Health Information (PHI), especially electronic Protected Health Information (ePHI), understanding HIPAA is crucial. This article is the first in a series discussing what HIPAA is, understanding the Privacy and Security Rules, and analyzing HIPAA compliance standards.

What Does HIPAA Stand for?

If you’re not exceptionally familiar with this acronym, you may think it stands for the Health Information Privacy and Accountability Act. That seems reasonable given how the everyday person is exposed to it. In fact, it stands for the Health Insurance Portability and Accountability Act.

That doesn’t sound so familiar, does it? HIPAA was enacted in 1996 not with the intent to protect people’s privacy, but instead to regulate and simplify the health insurance industry. According to the official HIPAA language, the objective of this government regulation is:

To amend the Internal Revenue Code of 1986 to improve portability and continuity of health insurance coverage in the group and individual markets, to combat waste, fraud, and abuse in health insurance and health care delivery, to promote the use of medical savings accounts, to improve access to long-term care services and coverage, to simplify the administration of health insurance, and for other purposes.

Essentially, Congress wanted to make health insurance cheaper and simpler by reducing administrative costs and creating a standard method that everyone related to the health insurance industry could adopt. So where does all this privacy and security regulation come into play? The requirement “to simplify the administration of health insurance” triggered everything.

In the Administrative Simplification section of HIPAA, the Act requires that the rights of individuals relating to the use and disclosure of their health information be clearly explained and that standards are set for the electronic exchange of health information. These two subsections, privacy and safeguards, would later be addressed in what is now referred to as the Privacy Rule and the Security Rule.

The Privacy Rule

The Privacy Rule went into effect in 2000 and has been amended several times. It lays out the standards and guidelines for how PHI in all forms—verbal, physical, or electronic—can be used and disclosed. The Privacy Rule is the reason you know the acronym HIPAA at all.

Thanks to the Privacy Rule, health care providers, insurance companies, and their business partners must follow the same rules regarding health information. Individuals have the same right to access and the same expectation of privacy from all entities according to the guidelines in the Privacy Rule. PHI can include:

  • identifiable personal information,
  • any medical or mental health condition diagnosed during the lifetime of the individual,
  • any treatment or procedure performed in the lifetime of the individual,
  • payment information relating to health care,
  • and any identifiable or medical information that the individual wants restricted.

The Privacy Rule is also the reason you must sign that form stating you understand your rights according to HIPAA. Being informed that you have the right to privacy is part of your legal rights. There are exceptions to these rules, such as life-threatening emergencies, court orders, and release of information authorizations, but all are directly addressed and specified within the rule.

Ultimately, the HIPAA Privacy Rule sets the standard for each patient’s right to privacy regarding their PHI. Thanks to the Privacy Rule, PHI is automatically considered confidential in almost all circumstances, and it also explains under what circumstances PHI may be shared.

The Security Rule

The Security Rule is a little different. It first went into effect in 2003 and, unlike the Privacy Rule, relates only to ePHI. The Security Rule established the safeguard standards everyone dealing with ePHI must follow to be HIPAA compliant. Compliance means all ePHI is stored, processed, and transferred in a way that ensures patient privacy. While it doesn’t dictate specific implementation steps, since each company’s use and needs around ePHI is different, anyone dealing with ePHI must address each specification.

HIPAA began as a way to simplify health insurance procedures and make those handling health information more accountable to every citizen’s rights about their private health information, and its effects have been far-reaching. For anyone dealing with PHI, the requirements can appear daunting at first, but with a trusted IT partner, HIPAA compliance means any and all health information will be safe in your hands.

Look for our next HIPAA article, which will discuss the Security Rule in more detail. Until then, you can contact Anderson Technologies’ expert consultants for help navigating HIPAA compliance by calling 314.394.3001 or emailing info@andersontech.com.

GDPR: How It Impacts You

On May 25th, the European Union implemented their country-spanning General Data Protection Regulation (GDPR). Even if you’re not sure what it is or how it affects you, you’ve probably seen the results of this directive in action. New cookie consent notices pop up on home pages, and countless companies sent out emails with updated privacy policies. You may have noticed Anderson Technologies has gone through this process recently. All of this is due to GDPR.

What Does GDPR Change?

GDPR gives citizens in European Union (EU) countries clear rights to their data regardless of who is collecting it or where that entity is located. Some of these rights include:

  • The right to know what happens with their data.
  • The right to be shown all data collected on them.
  • The right to update or modify that data.
  • The right to be forgotten or to have all data relating to them deleted.

It also places the burden of informing and obtaining consent to collect data on the entity collecting it. This means it is illegal to use email lists from a newsletter to send promotional advertisements without the user specifically agreeing for you to do so. Most importantly, visitors who refuse to allow their personal data to be collected must receive the same experience as those who allow the collection of their data.

It also demands that those who collect or process personal data do so with data protection at the forefront through means such as pseudonymization, full anonymization of data, and encryption. It becomes the business’s responsibility to protect personally identifiable data and to know that all vendors and third parties with access to it have equivalent security measures in place.

Companies can be fined for failure to comply with GDPR guidelines.

Does GDPR Affect Your Company’s Website?

There is a good chance some aspect of GDPR affects you even if you don’t actively do business in the EU. Personal information can include names, addresses, email addresses, and IP addresses. To collect any of this, even through the use of cookies, explicit consent is required. It’s hard to find any website with zero visitors from EU countries. If even one EU citizen’s data is gathered, then the GDPR relates to you.

The good news is…

Unless you’re actively working with the EU, in which case you’ve probably already implemented compliance standards, only a few sections of the GDPR affect you. And if you don’t collect or transfer any personal data through cookies, contact forms, newsletter sign-ups, or analytics, then it doesn’t matter how many people from the EU visit your site.

The bad news is…

Personal data is collected in ways you might not think about, and just because someone is already signed up for your services or newsletter doesn’t mean their previous consent is compliant. Some means of data collection you might not think about are Google Analytics or share buttons on your site that connect to social media. Also, passive consent (i.e., pre-filled check boxes to sign up for emails or providing an email address that will be used for marketing in order for the user to download an eBook) is no longer allowed.

All consent must be optional and freely given.

Is the EU Going to Come After You?

Keep in mind that if you are seriously concerned about GDPR compliance and the responsibilities your business has in regard to the data you collect, you should contact a lawyer who specializes in GDPR compliance for full legal guidance. The information here is meant to provide a general understanding regarding GDPR and shouldn’t be taken as legal counsel on compliance issues.

For most US-based small businesses that do not have working relationships within the EU and do not intend to court them as potential clients/vendors, the immediate risk of not being 100% compliant after May 25th is minimal. That’s not to say you shouldn’t take practical steps to become compliant if the law affects you. Non-compliance can have steep fines of up to 10-20 million euros or 2-4% of total global turnover—whichever is higher. But those are for serious violations and a last resort after contacting the business about non-compliance and issuing warnings to resolve any problems.

What’s important is that a reasonable effort to comply within the means of your business is made with user privacy and data protection in mind.

Making Your Website GDPR Compliant

The first thing you need to know is whether or not you collect data from EU citizens.

In order to do that, you need to know what data, if any, you collect. This can include analytical data, physical and email mailing lists, names/IDs in comments or forums, and IP addresses. Then it’s time to get consent. Depending on what you collect, there are tools available to help. If you run a WordPress site, this guide can be helpful in figuring out what issues WordPress has already resolved and what issues you need to address.

  • Cookie Consent Bar — You’ve probably seen a lot of these lately. If your site installs any cookies, whether for the functioning of the website, collecting analytical data, third-party cookies for plug-ins, etc., then the user must not only be notified, but allowed the option to not have them activated. There’s no need to figure out how to do this all on your own. If you’re not sure if you need a consent bar, Jeffalytics created a flowchart to help figure it out. There are also plenty of plug-ins and add-ons available that will do this for you, and some of them are free. Not all these plug-ins are user-friendly or even fully functional, so your developer should verify that cookies are not added until the user hits accept. Cookies required to run the site can be excluded from the block as long as your Privacy Policy explains why.
  • Consent Checkbox Beneath Forms — Whenever you directly collect information, such as asking for name and email address when signing up for a newsletter, it is a good idea to have a checkbox stating that by clicking it the user understands how you are going to use and store their data. If you want to use that email for promotional materials, you can’t without their consent. You can offer a checkmark box for this option during the sign up, but it cannot be pre-checked or a requirement to sign up. The user must check it themselves.
  • Google Analytics — Not surprisingly, Google has already done a lot to bring themselves into compliance, but the tools they offer are not in complete compliance since most are meant to collect personal data. So what can you do to fix this without sacrificing all that valuable data? You need to turn on IP Anonymization. Google made this process easy for users by anonymizing all but the final set of numbers in users’ IP addresses. This means you will lose some geographic data, but generally only in local areas. You will still know the country and city of origin.
  • Opt-Out — All users must have the option to not only request all the data you collect on them but to ask you to change or delete the data if they wish. This process should be made clear in your privacy policy and quickly implemented upon request. It’s important to keep a record of all contact with users about their personal data and log when data was modified or deleted. 
  • Privacy Policy — It is important that you have a privacy policy on your website that explains in easy-to-understand, non-legal terms all aspects of your data collection and retention. This is intended to present users with the what, when, how, and why of your data collection, and to inform them of their rights over the data. This is also a good place to display a list of cookies used on your site and their functions. Many of the cookie consent bar plugins provide a short code that will generate this list for you. Your privacy policy should also explain how the user can contact you in order to exercise their rights over the data you collect on them. All communication should be simple to perform and recorded by your business. If you don’t have a privacy policy yet or aren’t sure what needs fixing on an existing policy, NIBusiness Info has a free, fully explained and customizable example available for download.
  • Notification of Breach — Perhaps the biggest change from current data practices is the GDPR’s requirement that if your data has been breached, it must be reported within 72 hours of you learning of it. The GDPR also states that the individual whose data is compromised as a result of the breach must also be notified “without undue delay” if the data poses a considerable risk on the rights the GDPR provides EU citizens. This is not required, however, if the data has been made unusable to unauthorized access through means such as encryption.

GDPR may be frustrating to implement, but its goal is to change the way companies look at data collection and retention. It’s just as important in GDPR to know how you protect your customers’ data as it is what data you collect. Security, accountability, and understanding are goals every business should strive for when handling user data. Even if you don’t do business with the EU, it’s a good idea to perform a network security audit to see how safe your company’s data is and if there is room for improvement.

If you’d like help making your website GDPR compliant, contact Anderson Technologies by phone at 314.394.3001 or by email at info@andersontech.com.

Can you recover deleted files?

Hands Off the Keyboard! How Managed IT Can Recover Your Deleted Files

One wrong click, a blink, then panic sets in.

That file you just deleted is vital to a current project or contains records necessary to your business.

Instead of letting your heart rate skyrocket, catastrophizing about what you’ve just lost, read this guide on basic data recovery.

When What’s Gone Isn’t Really Gone

Once you realize the deletion error, stop what you’re doing.  A few simple steps may prevent further loss and help you discover the scope of your situation.

  1. Check the Recycle Bin. It’s easy to forget in the post-deletion panic that if you haven’t emptied the desktop folder known as the Recycle Bin (Windows) or Trash (Mac) your file may still be there, safe and sound, if it was saved locally. Think there’s no way that your file is still there? Check anyway. It only takes a moment, and many times, that check will solve everything.
  2. Search the File Directory. No luck in the Recycle Bin? All is not lost. Use your computer’s search function (usually in the task menu at the bottom or top of the screen) to search your computer’s file directory for the deleted file. Depending on how many files live on your computer, this may take a while. Here are detailed instructions for searching on Windows 10 and Mac OS X.
  3. Check backups. Okay, so the file doesn’t seem to be on your computer. Was it on the server? Do you have backups configured? These days there are many options, such as Windows Backup, Cloud 365, Dropbox, SugarSync, or OneDrive. Many of these services keep deleted files for 30 days or may have a slightly older version of the file you can restore to your computer. Important Note: If you are unfamiliar with these services, but have them in place, don’t hesitate to call a managed IT services provider for help. Choosing the wrong file or transferring it the wrong way can do more damage than good.

Still no luck? Time to call a managed IT services provider. Further poking around like attempting a Windows restore, volume shadow copy, downloading recovery software, or even just continuing to use the computer to stream or download can rewrite the hard drive—reducing or even eliminating the possibility that professionals can rescue the file.

Bringing in an IT team to recover your files does cost money, but the price of repairing well-intentioned “fixes” can grow exponentially. The deleted file is valuable. If you can’t afford to lose it, you can afford to call the professionals.

What to Expect from a Managed IT Services File Recovery

First, your managed IT services team will check the steps above to determine just how difficult recovery of your vital files will be. If the deletion was caught early enough, or if you have backup services in place, most files can be recovered remotely in under five minutes! Luke Bragg, Senior Systems Administrator at Anderson Technologies, recalled a time when he was able to calm the panic of a client and locate the deleted file in just 20 seconds! It was easy—for a professional.

According to a Clutch report on cloud computing, almost one-third of consumers who use cloud-based backups don’t know they are using the cloud. A managed IT services team can detect this and restore those backed-up files!

Widespread Loss: Data Recovery from Destruction

What if your office or workspace has been struck by natural disaster?

Flood, fire, and quake can obliterate technological systems, leaving your small business without records, client data, or even operating systems. This is far bigger than an accidentally deleted file and, unfortunately, recovery after a disaster isn’t as easy to tackle on your own.

  1. Shut off power and step away from the electronics. The safety of you and your team is paramount. You may be thinking of everything you have lost, but don’t let that desperation put anyone in danger.
  2. Consult the authorities. Exposed wires, spilled chemicals, or other dangers may affect your recovery. Local authorities have guidelines regarding tech in disaster—be sure to follow them!
  3. Assess the damage. Even though a piece of technology may appear to be undamaged, it is important to employ experts to help you assess damage, loss, and potential recovery.

In these cases, managed IT services experts will be a huge asset to your recovery.

IT experts will help you determine if technology is damaged and set up a provisionary network so that you can resume business as soon as possible.  A managed IT services team will hold your hand through the disaster and ensure the safety of you and your equipment.

Your managed services team will work with you to identify and restore vital files and records. In fact, even businesses without off-site or cloud backup services have a chance of data recovery. Disc forensics —the science of extracting information from hardware—is a last resort, but many managed IT services teams are prepared to tackle it in these extreme cases.

Chances for recovery of systems or files with a managed IT services partner increases exponentially, but the bottom line is, without backups already in place, data recovery is never guaranteed. Read the fine print when dealing with a recovery vendor to know what you’re paying for.

Prepare for the Worst

Anyone who has lost files from human error or natural disaster knows that the best practice is to avoid loss in the first place. If you are reading this before losing files, take this opportunity to engage a managed IT services provider to set up regular off-site or cloud backup services, and prepare a disaster plan designed to keep your equipment and data safe.

Call Anderson Technologies today for help! Whether you are in a panic, recovering from a disaster, or wanting to prepare for the future, our managed IT services team is prepared to get you—and keep you—in business. Check out our page on data recovery services, or call 314.394.3001 for more information.

Working from home with cyber security

Taking Your Work Home: Are You Secure?

With the capabilities of remote access, either through telework or on mobile devices, many companies are asking the question:

How do I maintain my cyber security when my employees work remotely?

Whether you have one employee working on a mobile device while on a business trip or your entire staff telecommuting from home, your cyber security shouldn’t be sacrificed for convenience. By understanding your options and working with a quality IT services provider, you can safely navigate the cyber world and keep your business protected, no matter where you are.

Cyber Security and Telework

Maintaining your cyber security while allowing your employees to work remotely can be a challenge, but it can be accomplished with minimal risk if you plan ahead and choose the right options for your business.

First and foremost, the Guide to Enterprise Telework, Remote Access, and Bring Your Own Device (BYOD) Security published by the National Institute of Standards and Technology (NIST) says to “assume that communications on external networks, which are outside the organization’s control, are susceptible to eavesdropping, interception, and modification.” If you don’t expect someone to infiltrate your network, you won’t be protected when someone tries. Always prepare for the worst-case scenario.

How do you do that? You should start by choosing the best telework option for your business’s needs and budget. There are four basic ways to secure your network while allowing remote access to employees.

  1. Tunneling Using a VPN Gateway
    Virtual Private Network (VPN) gateways create secure access from the employee device to the VPN gateway and onward to your internal network. In this way, your enterprise-level cyber security measures are extended to the VPN, which acts as a secure tunnel for employees to work through. Some VPN gateways can even extend your business’s firewall rules to the employee computer no matter where they are working by use of a very light, portable device. A great advantage when travelling on business.VPN gateways offer several great telework features, but while communication is protected through a VPN gateway, the employee’s computer could still be at risk of transmitting infected data if the computer itself is compromised. Depending on the amount of traffic it needs to carry, VPN gateways can be quite an investment, requiring third-party software or dedicated servers. Even so, the benefits often far outweigh the cost when secure communication is important.
  2. Portals
    This method of remote access happens primarily through a browser-based webpage or virtual desktop. All applications and data are stored on the portal’s server and cannot be downloaded or saved on an employee’s device without permission. This is a good way to keep control over who is accessing your data and how it is used. It may also be a cheaper option than purchasing a VPN gateway.The danger with portals depends on what permissions the employee has while accessing the portal. If the portal allows an employee to access other areas of the internet while connected, it could provide an unintended avenue for criminals to access your network. It’s safer to restrict employees’ access to other programs while the portal is in use. The more access an employee has, the less secure the connection becomes.
  3. Remote Desktop Connection
    Remote desktop connection allows an employee to remotely control a computer physically located at your business via an intermediate server or third-party software. When the two computers are connected, applications run and data is saved only to the computer in your office, and your network’s cyber security measures are enforced. Your remote device merely displays the work performed on your office machine.

    Due to the direct access, remote desktop connection is considered high risk in cyber security terms. Proper configuration is critical.  When set up correctly, communication between the two computers is encrypted for the data’s protection, but it is also encrypted from the organization’s firewalls and threat detection. No matter how good your cyber security measures are, if the employee’s home computer doesn’t have the same protections as the office workstations, malicious data can slip into your network unnoticed during a remote desktop connection.
  4. Direct Application Access
    Direct application access is probably the lowest risk to your cyber security measures out of all the remote access methods because it is best used only with low-risk applications. In this method, employees can remote into a single application, usually located on the perimeter of your network, such as webmail. The employee doesn’t have access to the entire network, allowing them to work on select applications without exposing your internal network to danger.Though there is much less danger posed by direct application access, it generally doesn’t allow for extensive work to be done. There is very little connection to data on your network, and little ability to take data to another application if needed. It is best used when traveling or on a mobile device where complete access to the network is not necessary.

Mobile Devices

Telework isn’t the only way employees access your network. Mobile devices have become ubiquitous to work on-the-go, but if you fail to protect these devices, your business and your clients may suffer. There are basic security recommendations for securing any mobile device, including thorough employee training in cyber security, strong encryption, keeping software up-to-date, and supplementing your security with third-party anti-malware/anti-virus software. While these fundamental methods keep the average device secure, if you’re dealing with sensitive or confidential data on your network you may need additional safeguards.

NIST’s Guide to Enterprise Telework offers detailed suggestions for protecting any business when it comes to mobile and telework access, including:

  • Limiting networking capabilities (such as Bluetooth) not necessary for work.
  • Turning on personal firewalls, if available.
  • Requiring multi-level authorization before accessing your business’s network.
  • Restricting other applications allowed on the device.

Perhaps the most important piece of advice NIST has for mobile devices is not to treat them as mobile devices at all: “Given the similarity between the functions of mobile devices, particularly as they become more advanced, and PCs, organizations should strongly consider treating them similar to, or the same as, PCs.”

It may also be beneficial to use a mobile device management (MDM) solution to maintain control of a mobile device in case of theft or accidental loss. With an MDM, you can locate, lock, or remotely destroy any data on the mobile device. This way your sensitive information won’t fall into the wrong hands, even if the device can’t be recovered.

Best Practices for Maintaining Cyber Security

Regardless of the type of remote access you decide on, there are a number of opportunities to shore up your cyber security defenses:

  • Establish a separate, external network dedicated solely to remote access. If something does infect the server, it won’t spread to other parts of your network.
  • Use encryption, multi-level authentication, and session locking to protect your data.
  • Keep your hardware and software patched and updated, including your employees’ remote computers.
  • Manually configure employee computer firewalls and anti-malware/anti-virus software.
  • If possible, physically secure computers with locking cables in any untrustworthy place, such as hotels or conference areas.

The amount of preparation needed to secure your business’s mobility is an important investment. A good managed IT services partner can walk you through the process and make sure your business is safe and productive anywhere. For help setting up a telework network, contact the experts at Anderson Technologies by email at info@andersontech.com or by phone at 314.394.3001.

Safe Online Shopping Ecommerce

8 Steps to Safe(r) Online Shopping

Sure, e-commerce sites are convenient, but more and more frequently they are teeming with cyber threats that could compromise your financial information, identity, or even your business. Here’s what you can do to protect yourself.

Online sales in the U.S. are projected to reach $523 billion by 2020, according to a report by Forrester Research. In fact, many Americans are buying more online than in-store, and retailers aren’t the only ones taking notice. Criminals see the e-commerce boom as an opportunity for payment fraud, identity theft, and other cyber crimes.

Of every $100 spent online, $4.79 is at risk of a fraud attack, according to The Global Fraud Index, a PYMNTS and Forter collaboration. It’s important to remember cyber criminals don’t just acquire data by targeting you personally. They hack businesses in hopes of infiltrating their databases to steal customer information. If you’ve created an account with a website that is compromised, your information is at risk, even if you haven’t shopped there in months!

Most retailers take precautions to provide their customers with safer online shopping experiences, but the onus is also on the individual. These tips will help you identify secure e-commerce sites, protect your personal information, and at least mitigate the damage should you fall victim to a cyber criminal’s attack.

  1. Only Shop at Sites with “HTTPS” URLs at Checkout

HTTPS stands for Hypertext Transfer Protocol Secure and indicates that the business has an SSL (Secure Sockets Layer) certificate. This certificate requires the vendor go through a validation process. Once installed SSL and TLS (Transport Layer Security) are used to secure sensitive online transactions—such as credit card purchases, financial data transfers, account logins, and other browsing activities requiring a heightened level of security. The data you share with a site’s web servers is encrypted in transit, and thus much harder for hackers to exploit.

  1. Assess the Site’s Legitimacy

Before sharing any personal information, research the site’s return policy, social media presence, and online reviews. Check that it has a Privacy Policy, Terms of Use, and detailed contact information. If anything seems suspicious, leave the site immediately.

  1. Create a Separate Email for Online Shopping

Do not provide e-commerce sites with your personal or business email address. Instead, create an account you use solely for online shopping. You can set up your accounts so all emails forward into a single inbox, but limit how often you hand out your primary email addresses.

  1. Create Unique Logins and Passwords for Every Vendor

Password management is an important component of safer online shopping yet it is often overlooked. Should a cyber criminal gain access to one of your accounts, you want the damage to end there. Do not use the same login and password for everything. Create complicated passwords that cannot be easily guessed. Password management applications, such as LastPass, are invaluable tools to help automate this.

  1. Use a Dedicated Credit Card for Online Shopping

Most credit card companies offer some fraud guarantees and will work with you if your information is stolen. Additionally, consider using PayPal, which goes to great lengths to keep its customers secure.

  1. Do Not Save Your Payment Information

Sure, you’ll add a few seconds to future checkouts, but it is worth it? Should a criminal infiltrate an e-commerce platform at least you won’t be giving them your credit card number on a silver platter. Also, refrain from saving passwords on your browser and clear your history routinely.

  1. Delete Accounts You No Longer Use

Remember, even if you haven’t visited the e-retailer in months, your information could still be obtained by a criminal who hacks the site. By removing accounts from sites you no longer frequent, you’ll help keep your personal information safe.

  1. Be Wary of Promotional Emails

Cyber criminals use email as a means of spreading malware and launching spear phishing scams. If you receive an email from a retailer that looks too good to be true, visit the site directly to confirm the information is valid. Always verify the email address of the sender. If everything seems above-board, hover over the link before clicking it, which will allow you to review the URL. Be sure to do so carefully, as crooks often use domain names that look similar to reputable sites.

E-commerce is a part of life, but we can’t take our cyber security for granted. No business owner wants to encourage personal purchases on the job, but it is worth sharing best practices for safer online shopping to help keep your employees, and your business, secure.

Anderson Technologies is a St. Louis IT consulting company that helps small businesses educate their employees about effective cyber security practices. For more information on our cyber security training services, email info@andersontech.com or call 314.394.3001 and check out our free eBook, An Employee’s Guide to Preventing Business Cyber Crime.

Public Wi-Fi Small Business

Public Wi-Fi Puts Your Business at Risk: 9 Tips for Mitigating the Threat

Every time you or an employee logs on to a public Wi-Fi network, the safety of your business is potentially compromised. These tips will help protect your data from rampant cyber security threats on public wireless networks.

The explosion of free public Wi-Fi helps people stay personally and professionally connected. However, many of these networks are not secure and make tempting targets for cyber criminals looking to steal your personal information.

Alarmingly, 60 percent of Americans believe their data and identity are secure on public Wi-Fi, according to research from Symantec. This is unequivocally false! Data shared on public Wi-Fi is usually unencrypted, which makes it simpler for cyber criminals to access.

Americans are three times more likely to connect to public Wi-Fi if it is free, according to a survey by the Identity Theft Resource Center, but free isn’t the same as safe. Let’s take a look at some of the cyber security threats found on public Wi-Fi networks as well as what can be done to protect yourself and your business.

Sniffing: Hackers use packet sniffers to intercept the information sent from your browser to the server. “Packet” refers to the bundles of data that hackers capture from the network. Data could include information that enables them to compromise you or your business’s security, such as passwords or user IDs.

Man-in-the-Middle Attack: In this type of hack, criminals intercept your communication while you are completely unaware. Examples include eavesdropping on, or even altering, communication between two parties and using malicious tools to come between you and a digital resource, such as a website or email account, in an effort to gain access to your private information.

Evil Twin: This is a Wi-Fi network that appears to be legitimate but is actually created by a criminal to pave the way for cyber crimes, such as man-in-the-middle attacks. These rogue networks often have similar names to legitimate hotspots in the area.

Sidejacking: With this nefarious tactic, hackers use sniffing software to steal session cookies (information on your browsing activity) and then hijack your session. For example, if you’re logged in to your favorite shopping site and hackers sidejack your session, they could make purchases using your credit card information; or if you are sidejacked while active on Facebook, the perpetrators could send messages to your connections or post dangerous links to your feed. The good news is that the thieves are stealing specific cookies and not your username and password, assuming those are encrypted. The bad news is it may not be immediately obvious that you were targeted, and the criminals could use the cookie to access your account at a later date.

In addition to these schemes, cyber criminals use public Wi-Fi to infect devices with malware. Some forms of malware can spread across a network to infect other computers, so you risk compromising other devices when you log back on at the office or at home. If you need to get online in a public place, consider the following tips:

  1. Use a VPN

If possible, use a virtual private network (VPN), which encrypts all of your network traffic data. The majority of business-grade networking hardware have the capabilities to support multiple VPN connections. A managed IT services provider can help you assess the right solution for your business.

  1. Limit Your Activity

Reduce your digital profile by only performing “must-do” activities. For example, use public Wi-Fi if you have to get an important email out, but don’t pass the time with leisurely online shopping. Try to limit your browsing to sites that are verified secure with the “HTTPS” designation, and avoid online banking over public Wi-Fi connections.

  1. Stay Alert

In addition to being aware in the virtual world, keep an eye out for suspicious behavior around you. Criminals can also try to steal your password or credit card information by physically observing you, a technique known as “shoulder surfing.”

  1. Turn Off Automatic Connectivity Features

Ensure your devise doesn’t “accidentally” connect to an at-risk network by turning off automatic connectivity features, which are common on many mobile devices.

  1. Block File Sharing

Perhaps your laptop is configured to share files with others in the office. Disable any file sharing and temporarily turn off all cloud-based file services (such as Dropbox, OneDrive, Google Drive, etc.) before logging on to a public network. Otherwise you may make it easier for hackers to access your information.

  1. Consider Encryption Tools

There are tools, both free and paid, that can encrypt your data when you access a public network. You can encrypt passwords, files, or even your hard drive. An IT specialist can help you determine the right tools for you and your business.

  1. Protect Your Device with the Latest Anti-Malware and Anti-Virus Software

Software can’t protect you from shoulder surfers or zero-day threats, but it will detect many forms of cyber security threats should your device become compromised. Be sure to not only install anti-malware and anti-virus software but to also update it regularly so you stay protected as threats evolve.

  1. Use a Firewall

Firewalls protect your technology from attacks and block unauthorized access to your network. When logging on to public Wi-Fi be sure your device’s software firewall is turned on.

  1. Avoid Public Workstations

If you have to use a public computer, say at a hotel, conference center, or library, abide by the tips above. Additionally, clear your history and temporary internet files after your session.

It isn’t realistic to expect yourself or your employees to avoid pubic internet entirely, but it is imperative that everyone understand the risks and take necessary precautions to protect themselves.  Check out this in-depth guide to public Wi-Fi on the technology site Secure Thoughts.

Anderson Technologies, a St. Louis IT consulting company, helps educate small businesses about safe online practices. We’ve even created this free eBook to get you started. Contact us today at 314.394.3001 or info@andersontech.com to discuss your business Wi-Fi safety or any of your IT concerns.

st. louis cybersecurity

A Guide to Employee Cyber Security Training

When it comes to small business cyber security, you could be doing everything right, but it just takes one wrong click from a well-meaning employee to undo all your hard work. Here’s what to cover during business cyber security training for your team.

One of the most overlooked steps to small business cyber security is employee education. Cyber criminals are stepping up their game and increasingly targeting small businesses. Every employer must find the time to educate its team members about digital safety. The global cost of cyber crime is projected to reach more than $2 trillion by 2019. It’s worth taking the time to provide thorough cyber security training to your employees.  While doing so, make sure to include the following topics.

  1. Spear Phishing Emails Are on the Rise

Spear phishing is a more sophisticated form of phishing in which criminals target a particular victim rather than a wide audience. These emails often appear to be sent by legitimate sources, such as a colleague or trusted vendor, and are designed to trick the recipient into providing personal information, like a credit card number or password.

Spear phishing emails targeting employees increased by 55 percent in 2015, according to research from Symantec. Warn your team to:

  • Be skeptical every time they’re asked for personal information.
  • Hover over links and email addresses to ensure target URL credibility.
  • Refrain from downloading attachments unless they’ve verified the sender.
  • Ask you or your outsourced IT services provider for help when in doubt.
  1. The Art of Password Management

Cyber criminals use software that helps them guess people’s passwords. Do not make their job easier. Teach your employees the importance of creating effective passwords. You can also consider implementing a password management tool for employees to use as an added security measure. Your cyber security training should include the following tips:

  • Do not use the same password for everything.
  • Do not use real words that can be found in the dictionary or obvious things like the name of your business.
  • Use a combination of numbers, uppercase and lowercase letters, and symbols.
  • Change passwords on a regular schedule.
  1. The Web Can Be a Dangerous Place—Get Out of Autopilot

It’s easy to be lured into a false sense of security as you browse the web. It’s so familiar, and you may have been using it without incident for work and personal purposes for some time.

Business owners must teach their employees that the internet can be a dangerous place. In fact, nearly 75 percent of legitimate websites have security vulnerabilities that could put users at risk. Business owners need to:

  • Create guidelines for appropriate digital behavior. Seedy content breeds seedy behavior, so keep your employees off inappropriate sites at work.
  • Teach employees that legitimate sites can have vulnerabilities.
  • Install and maintain an enterprise-level firewall coupled with safeguards such as a subscription for content filtering and intrusion protection.
  • Use anti-virus and anti-malware programs that include “safe search” features that help flag sites that have been compromised.
  • Consider partnering with a managed IT services provider who can make sure your business implements these steps correctly.

These tips are just the beginning. Cyber security training for every employee, even administration and management, proves itself to be invaluable in the event of a potential threat. For more information on what your employees need to know about small business cyber security, including what to do when they click a link they shouldn’t have, check out An Employee’s Guide to Preventing Business Cyber Crime.

Anderson Technologies is a St. Louis IT consulting company that can help your small business educate its employees about effective cyber security practices. For more information on our cyber security training services, call 314.394.3001 today.