5 Benefits of an Annual Network Tune-up!
The importance of performing a network security audit can’t be overstated, but don’t be fooled into thinking network security is a one-time event. Just like you need to bring your car to a mechanic for a tune up, a yearly network security audit keeps your infrastructure running smoothly and allows your managed services provider (MSP) a chance to look at what’s going on beneath the hood. Better to keep everything running smoothly so problems can’t lurk unseen.
What is a Network Security Audit?
An initial network security audit provides a baseline for the status of your IT infrastructure, what is doing well, where the holes are, and allows you to get in front of any issues that could compromise your systems. Forgetting to fix a known vulnerability could cost you time and money if cyber criminals find and exploit it.
What exactly does a network security audit do? When performed by a professional IT firm, physical processes combine with state-of-the-art software solutions to assess the quality and security of your network. This means reviewing not only your IT systems for digital vulnerabilities but also walking through your physical work space to make sure hardware isn’t set up in a way that would decrease efficiency or be hazardous (such as plugging a space heater into the same surge protector as a computer).
A thorough network security audit should include a review of your business’s
- anti-virus and anti-malware software,
- web and electronic communication filtering,
- Active Directory environment,
- password policies,
- backups and disaster recovery policies,
- and include an in-person assessment.
Five Benefits of an Annual Network Security Audit
As important as the initial security audit is, performing regular audits each year provides you with additional insights that can keep you moving forward in a secure and productive manner. Below are the top five benefits of performing an annual security audit.
- Assess how well you’ve addressed last year’s problems.
A network security audit is useless unless the issues it reveals are addressed. By performing an annual audit, you can compare where you were the year before with where you are now to see what systems improved and what still requires attention.
Have all your planned policies and IT practices been implemented? Did the fixes you put in place successfully mitigate the previous year’s problems? An annual security audit serves as benchmark to the condition and maintenance of your business’s IT environment.
- Review your security vulnerability analysis with your MSP or IT department.
As part of a thorough audit, your MSP or IT department should use specialized software to probe all the nooks and crannies of your network to search for vulnerabilities. But simply performing the audit isn’t enough. An annual review of your network security audit with your MSP or IT staff allows you to go over the security vulnerability scans each year and look at any reoccurring failures. By discussing the results together, you can work to find the underlying reason for any trends you find. Sometimes the problem revealed is actually a symptom of a much larger issue.
- Prioritize your technology needs for the next year.
IT security and maintenance can be expensive, especially when technology changes happen outside of your control, such as Windows 7 reaching end-of-life on January 14, 2020. An annual network security audit is a chance for your MSP or IT staff to discuss what needs to be done in the coming year, and more importantly when it needs to be done, so you can prepare accordingly.
- Address the nitty gritty details of IT management.
As part of an annual audit, your MSP or IT staff should review the state of your hardware, Active Directory for any overlooked users who have left the company, and the configurations of permissions to your systems. These are basic issues that sometimes get lost amidst the pressing everyday IT issues that arise. Having a dedicated time to check foundational elements keeps your IT infrastructure productive and secure.
- Provide feedback to your MSP or IT department and keep the dialogue open.
IT security may feel like it lives solely in the realm of IT professionals, but it requires two-way communication to remain effective. An annual network security audit is an effective mechanism to open a dialogue with your MSP or IT staff and address any concerns you have. The annual audit is a great place to discuss what’s working and what’s not that so all your IT needs are met in the way your business requires.
Don’t wait too long to tune up your IT systems with an annual network security audit. You can’t fix a problem you don’t know exists, and cyber attacks get more sophisticated each day. A look under the hood every now and then offers more than solutions to your problems—it offers peace of mind.
For managed services clients of Anderson Technologies, a network security audit is performed annually. If you want help with a network security audit, contact us today for a free consultation.
St. Louis, Missouri, known as the Gateway to the West, is well-loved by its residents for a variety of reasons that make it a great location for businesses and home to their employees. St. Louisans love their sports teams (Congrats to our NHL Stanley Cup CHAMPIONS!) and are proud hosts of the famous, award-winning St. Louis Zoo and other free attractions in Forest Park, such as the History and Art Museums. Situated in the northernmost Ozark foothills, the city also has a lovely, rolling landscape and is close to many state parks.
St. Louis ranks on many best-of lists across the nation, including:
- One of the “Top 100 Best Places to Live” for 2019 (livability.com)
- Number 2 of the “10 Best Cities for Entrepreneurs 2019” (fitsmallbusiness.com)
- One of the “Top 10 Rising Cities For Startups” in 2018 (forbes.com)
- Number 2 of the 2018 list of “Best Cities for Jobs” (glassdoor.com)
- Number 1 on the “25 U.S. Cities That Millennials Can Afford – and Actually Want to Live In” for 2018 (thepennyhoarder.com)
- The Number 2 “Food City” in the United States (Yelp, reported by riverfronttimes.com)
These rankings paint an appropriately pleasant and prosperous picture of St. Louis! However, businesses looking for a home in this city should know that St. Louis has a long history of natural disasters because of its location.
The Mississippi and Missouri Rivers often become overburdened from heavy deluges in the north, which doesn’t help the fact that St. Louis is tucked into the eastern edge of Tornado Alley. The city often feels the effects of blizzards, hurricanes, and even earthquakes. This unique set of natural factors is something business owners and technology teams must consider in their disaster preparedness planning, to keep business running no matter what nature has in store.
IT Backup in St. Louis
Disaster planning is a critical part of your business’s backup process. This process is outlined in HIPAA regulations, but is important for every business and organization, whether HIPAA compliant or not. When you begin to design your plan, you must think from every angle of your business, not just the IT side. How will your business prepare for a disaster? What physical aspects could be affected? How will your business implement measures once a disaster has happened? And what steps will your business need to take to recover? When creating a plan, identify all things that can happen, determine the likelihood that they will happen, and tailor the overall risk to your St. Louis-specific location.
For your IT, you’ll want to document your network and computer infrastructure configuration and safeguard your equipment prior to a disaster. You’ll also want to make sure you have a two-fold backup system, with one being a physical backup stored at a safe location and one being a cloud backup. An essential for every business is insurance, both for the physical location and for digital data loss. With a disaster plan in place, you’ll be well on your way through disaster recovery, even before a disaster happens.
In addition, you should regularly test your backups and make sure the full-recovery test is successful just in case of that dreaded emergency.
Read more about disaster planning, recovery, and managed tech services for your St. Louis business!
But what natural forces specifically impact St. Louis businesses and should always factor in their disaster planning?
Are you located in or near a flood plain? Recent major flooding in Missouri shows flooding in the last few years has exceeded the anticipated 100-year and 500-year flood levels. This should be a concern for any business located in one, and flood insurance should be obtained. Rivers notoriously breach their banks, and the Missouri River is especially unpredictable.
Originally, the Missouri was much, much wider. However, over the years, engineers funneled it into a narrower, deeper, stronger river to be used for commerce. Being a body of water, it will always try to retake the “bottom land” engineers during the New Deal era salvaged from it.
The Mississippi River is no less dangerous. As the biggest river in the United States, it has many tributaries, and by the time it travels through the St. Louis metro area, it can be swollen with excess water from the north—rain, ice, and melted snowpack. Just this year, the Mississippi has caused $12 billion in flood damage.
Floods generally provide a little more preparation time than tornadoes do, but there’s never enough time when an emergency is at hand. Don’t use warning time to procrastinate preparation. Part of disaster recovery is disaster preparedness. What steps can your business take when flood waters loom? How can you mitigate potential future loss?
If the location of your company is at risk of tornadoes or very high winds, you’ll want to tailor your protection for that. Unlike floods, tornadoes can affect areas far beyond the actual funnel, with winds tearing off roofs and flipping vehicles and structures.
Most tornadoes in the St. Louis area don’t make it into the city itself, but across the county and surrounding flatlands businesses have seen the brutal effects of tornadoes touching down.
With this in mind, storing backups digitally in the cloud is imperative. If a tornado blasts through your area and carries the entire office away with it, you’ll need a place to start. Having data properly and securely backed to the cloud will ensure that your business can start up again in any location, or that you can do something as simple as contact clients from a laptop to alert them to your circumstances.
Blizzards, Earthquakes, and Hurricane Effects
The Midwest routinely receives the effects of hurricanes from the Gulf of Mexico and the sub-zero temperatures blown in from the north. Every now and then, twelve inches of snow will fall or a gale will blow through that knocks out power to a good portion of the community. Are you ready for no electricity at the office? How will your business plan for unsafe travel conditions, or below-zero temperatures when ice knocks down the powerlines?
Missouri is also known for its massive earthquake in 1812 that is thought to be one of the worst the United States has ever seen. Minor quakes have occurred during recent years due to the New Madrid fault line that clips the southeast portion of the state.
Just like any other city, St. Louis has its own set of common natural disasters, and it’s important for your company to take the proper measures to prepare for them. Planning for disaster can’t guarantee your business’s safety, but by planning for it, you’ll be ahead of the game, no matter what.
Once your fully-developed disaster plan is implemented and tested, disaster recovery shouldn’t be too detrimental on time and resources. Even smaller disasters, such as local fires or theft and vandalism are essential to prepare for.
Are you ready to develop your disaster plan? If you’d like more information on disaster recovery for your IT systems in St. Louis, call Anderson Technologies at 314.394.3001. A team member will be happy to help!
We’ve come to the end of our HIPAA series, and if you’ve been following along, you might feel overwhelmed by the prospect of becoming HIPAA compliant. There’s a lot to do if you’re just starting out. Keep in mind that by creating a culture of compliance, it becomes easier to verify that you’re following the Security and Privacy Rules in the future. Instead of creating policies, you’ll be updating them. Instead of choosing technical safeguards, you’ll be evaluating what’s already in place. Once you are HIPAA compliant, it’s easy to stay HIPAA compliant.
Tips for Beginners
For those of you tackling HIPAA for the first time or those whose current HIPAA compliance program isn’t doing enough, here are a few tips to help you start the process.
Know what you have—The start of any HIPAA compliance program is determining what PHI and ePHI you have, what programs or processes access that information, and what policies or safeguards are already in place to protect it. Without knowing that, you can’t know what needs to be fixed.
Perform the SRA first—It’s the first security standard for a reason. A complete and thorough Security Risk Analysis is critical to compliance, and you’ll find that during the SRA process you’ll address many of the other standards in the Security Rule. If you don’t feel you can perform this on your own, it may be beneficial to call in an outside consulting company to help you.
Document everything—Get used to this right away. You must not only become compliant, but you need to prove that you are compliant, and that is done through documentation. Be careful you don’t fall into the trap of “paper compliance,” where you have the documentation but fail to follow through in everyday practice. A policy is useless if it’s not implemented.
Accept that it’s a process—Compliance doesn’t happen overnight. From the SRA to the documentation to the evaluations, compliance takes time. It is a continuous process of monitoring and updating to ensure the privacy and security of PHI.
Get everyone on the same page—Training on HIPAA needs to happen from top to bottom. This helps create a culture of compliance that will make ongoing compliance efforts easier. If those in leadership positions understand why it’s important to be HIPAA compliant, appropriate policies and procedures can be created and the budget adjusted according to needs. When employees know the rules to ensure the confidentiality, integrity, and availability of PHI, there is less chance that an avoidable breach will happen.
There is no one prescriptive way to go about HIPAA compliance. HIPAA is designed to be vague enough that any size or type of business can adopt the same requirements. This allows each business the freedom to implement in the way that best fits them, but it also requires that you take responsibility for the decisions you make. With that said, following a logical HIPAA compliance plan will help determine the most reasonable and appropriate measures for your business in a straightforward way. Compliance is always easier with a plan.
Knowing where to go for information can assist any Compliance Officer in their efforts to become HIPAA compliant. Below is a collection of the resources found throughout this series.
- The HITECH Act https://www.hhs.gov/hipaa/for-professionals/special-topics/hitech-act-enforcement-interim-final-rule/index.html
- The OMNIBUS Rule https://www.hhs.gov/hipaa/for-professionals/privacy/laws-regulations/combined-regulation-text/omnibus-hipaa-rulemaking/index.html
- HHS Breach Database https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf
Introduction to the Security Rule
- HHS Security Series https://www.hhs.gov/hipaa/for-professionals/security/guidance/index.html
- NIST Introductory Guide to HIPAA https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-66r1.pdf
Security Risk Analysis
- ONC Myths of the SRA https://www.healthit.gov/topic/privacy-security-and-hipaa/top-10-myths-security-risk-analysis
- SRA Tool https://www.healthit.gov/topic/privacy-security-and-hipaa/security-risk-assessment-tool
- SRA Videos https://www.healthit.gov/topic/privacy-security-and-hipaa/security-risk-assessment-videos
- Privacy and Security Training Games https://www.healthit.gov/topic/privacy-security-and-hipaa/privacy-security-training-games
- HHS Security Series – SRA https://www.hhs.gov/sites/default/files/ocr/privacy/hipaa/administrative/securityrule/riskassessment.pdf?language=es
- ONC Guide to Privacy and Security of ePHI https://www.healthit.gov/sites/default/files/pdf/privacy/privacy-and-security-guide.pdf
- HHS Guide on SRA https://www.hhs.gov/sites/default/files/ocr/privacy/hipaa/administrative/securityrule/rafinalguidancepdf.pdf
- NIST Managing Information Security Risk https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-39.pdf
- NIST Guide to Conducting Risk Assessments https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-30r1.pdf
- HHS Emergency Preparedness https://www.hhs.gov/hipaa/for-professionals/special-topics/emergency-preparedness/index.html
- Homeland Security Cybersecurity Insurance https://www.dhs.gov/cisa/cybersecurity-insurance
- Cost of Data Breach Study https://securityintelligence.com/series/ponemon-institute-cost-of-a-data-breach-2018/
- HHS Encryption Guidance https://www.hhs.gov/hipaa/for-professionals/breach-notification/guidance/index.html
- HHS Breach Notification https://www.hhs.gov/hipaa/for-professionals/breach-notification/index.html
- HHS Ransomware and HIPAA https://www.hhs.gov/sites/default/files/RansomwareFactSheet.pdf
- DOJ Protect from Ransomware https://www.justice.gov/criminal-ccips/file/872771/download
The true cost of ransomware.
Ransomware is a major threat right now. According to Datto, experts in data backup and recovery, 80% of managed services providers (MSP) report ransomware attacks in 2018, and 35% report that some of their clients experienced multiple attacks per day. Clearly, ransomware is nothing to sneeze about.
Surprisingly, though, it’s not the ransomware attack, but the downtime afterward that accumulates the greatest cost to your company. Time, manpower, customer and vendor trust are all affected. This increases the importance of defending your company against this threat.
Here’s a quick recap of what happens in a ransomware attack. First, your network or computer is compromised. Next, an intruder plants an infection that encrypts your data files, until, theoretically, you pay the “ransom.” Until then, you are stuck. You can’t use your hardware, applications, or access any of your data. Any employees who connect to your network for their job can’t work. Even if the ransom is paid, the likelihood of getting your data back as it was is fairly small. During this attack, your network is fair game to the cyber criminals, and you’ll have no idea which files they will exploit. In all reality, you might be starting from scratch to get your company up and running again. And that takes time. If you aren’t protected and prepared, you could suffer weeks of lost revenue with a high cost to recover.
The best solution for defending your company against ransomware is a multi-layer approach. To keep your network safe, you must have the following:
- A properly configured hardware firewall
- An internet content filter
- Email scanning prior to delivery
- Antimalware/antivirus software on each workstation
- Current operating system and third-party application updates
- Consistent, reliable, and tested backups
Whether it’s a cyber attack, human error, or hardware failure, a multi-layer approach is a safeguard for when one layer is compromised.
Read more about ransomware!
Backups are one of the most important aspects. They are your insurance policy to eliminate a huge amount of downtime. If ransomware infects your network despite all of the safeguards in place, your current backups will ensure your data is retrievable. Consulting with your IT department or MSP to ensure your backups are properly configured will keep the ransomware from infecting the backups as well.
Unfortunately, many companies don’t have all of these measures in place, and when ransomware hits, things get chaotic. Downtime can turn a disaster into a catastrophe.
Studies show that downtime has twelve times the cost of the actual ransomware attack. To calculate downtime, you must take into consideration direct employee costs, productivity losses, halted company production, and even more importantly, how your clients are affected. Are they getting the products and services they paid for? How does that affect their trust in you?
To counteract these detrimental costs to your company, it is important to focus on prevention and prepare for the worst, so when something does happen, your downtime is minimal. Backup services provide disaster recovery as a service to ensure your peace of mind no matter what.
Ransomware isn’t the only cause of downtime, though. There are other things potentially sapping your company’s productivity every day. Poor performance due to outdated hardware, slow internet speeds, and hardware failure. How much are these often-overlooked daily experiences costing your business?
Old Hardware – New Software
Continually spending money on hardware can be frustrating. Unfortunately, that is the reality in the tech world. One year, the latest technology comes out with a wow and a bang, and by the next year, that amazing equipment is already out of date. Within a few years, it’s obsolete and can no longer handle even the most basic software updates.
Older hardware simply wasn’t designed to handle the latest resource-intensive apps.
Because technology changes so quickly, Anderson Technologies recommends replacing computers every three to five years, depending on your specific requirements. Replacing 20% of your machines per year keeps all equipment on a five-year rotation and your budget reasonable.
How can this plan save your company from downtime?
By upgrading your hardware regularly, your systems stay efficient and fast. You won’t have to wait those 30 seconds for an app to load when it should load in a fraction of that time.
Thirty seconds of downtime doesn’t seem like much until you calculate the cost of those accumulated seconds lost every week.
Hardware failure, be it a laptop or server, will happen, and inevitably it will occur at the worst possible moment, like during your busiest time of year. Because of this, it’s best to be proactive. If you’re continually refreshing hardware, not just computers, at the rate of 20% per year, everything will be less likely to experience failure due to age.
Just like with ransomware, the best insurance policy against hardware failure is having up-to-date backups. Failed hardware can easily be replaced, but the information stored on it may be lost unless it’s backed up regularly. Your MSP can help you determine the frequency of backups and provide backup options to ensure that your company can get up and running as quickly as possible.
This is probably the most common downtime-inducing culprit. There are several factors that may contribute to slow internet. The first step is to double check what speed you pay for with your internet provider and make sure it matches the speed you observe on your network. If the two speeds match, then you may need to invest in more speed.
If you’re paying for a higher grade of internet, but still experiencing slow speeds, there may be something misconfigured in your firewall or switch. If the firewall or switch are over five years old, they might need to be replaced. Older firewalls or switches are just like the old hardware we mentioned earlier – they can’t keep up with the traffic going through them and act like a bottle neck. For instance, your LAN switch may be running at 100 Mbps, but you’re paying the ISP for a 400 Mbps internet connection! Upgrading to a gigabit switch in this example is a simple, cost-effective solution. A properly configured and updated firewall and network switch will give each user the full speed the internet allows instead of bogging it down.
What makes your business special? This is probably one of the first questions anyone will ask about your company—your IT vendor included! Nobody knows your business better than you, and learning what goals and values drive your company is an important step in the Anderson Technologies discovery process.
When a potential client reaches out to us, we offer a free network security audit that compiles the best parts of our IT consultation skills to analyze what’s unique about your company and its technology. A network security audit usually entails a system administrator coming on-site to evaluate the hardware and software your company uses, and then our team takes a closer look at the infrastructure and how it could be affecting day-to-day functions and protection from cyber threats. These audits give our IT experts a chance to familiarize themselves with your specific network and highlight any vulnerabilities in your cyber security coverage or computer system efficiency.
In order to fully understand the impact of network security audits on our clients, we spoke with A. A., Chief of Staff of a wealth management firm located in West St. Louis County that has been an Anderson Technologies client since August 2018.
Anderson Technologies (AT): What can you tell us about your technology goals before you learned about Anderson Technologies?
AA: I joined [the firm] in November 2017, and one of the first things that really became a passion project for me was how our IT was structured. I wasn’t impressed with the provider we had, with how they were addressing our concerns, issues, or responsivity. I would reach out, maybe hear back in a week if it was something that wasn’t business-critical. If it was business-critical, it would take every bit of 48 hours, and I would just get passed around. I’d be like, “Listen, we can’t access this,” and a couple days later even though I sent multiple emails, “Hey, A., got your email, we’re looking into this.” Well that’s not really a solution.
Read more about Anderson Technologies’ enlightened solutions for the financial services industry here!
AT: Your husband and Vice President of the firm, N. A., met Amy Anderson at a networking event for local business owners. He knew about your interest in IT, so what made him recommend us to you?
AA: N. A. said, “They approach IT management the same way we approach wealth management: very methodical and particular, everything is structured.” For us, that’s exactly how we want to work with our clients: What are your issues, let us take time to get to know you personally, let me see if I can identify this, this is what I heard, here’s what I think we need to do, here would be the next steps we recommend and then it’s in the clients’ hands to decide.
AT: Did your initial impression of Anderson Technologies live up to the expectation N. A. set?
AA: I basically got an hour, hour and a half with Mark and Amy [Anderson] at no charge where all they did was sit down and listen. They heard everything that we had been through as far as what we were currently trying to accomplish as a business, whether that involved our IT needs or not, over the next two-to-five years.
Wow, these people actually heard me. They know what I’m going through, and I think they actually were connecting the dots.”
I felt like these people have my privacy and my security as a top priority, which is really important to me especially in the industry we’re in. I feel like they’re really taking the time to educate me on things that I should be concerned about and things that they’re going to be looking for.
AT: What was the network security audit process like?
AA: Honestly, it was painless. Anderson Technologies came in and said, “Here’s what would need to happen,” and they went step by step—Here’s what this audit would look like: we’re going to come into your offices at a predetermined time, it’ll be completely private, we’re going to go into wherever your network closet is, and here’s what we’re going to be looking for.
AT: What issues did the network security immediately bring to your attention?
AA: One of the first things that jumped out was our server itself. Mark told me, “Your server is on its last leg, but this dovetails nicely into one of the things you had mentioned you wanted to do, which was transferring everything to the cloud.”
I went from someone who was telling me, “Eh, its good enough, when it breaks we’ll deal with it,” to someone saying, “Let’s be proactive, and let’s tie in what you already told me your goals are and how we can actually make this solution for this issue as well as for your long-term plan.”
AT: Did the network security audit reveal anything that would have been missed without it?
AA: As a wealth manager, any application you would fill out as a client and sign, or any document we may need to have a copy of, like your mortgage or your tax returns from 2016, we want to have a copy of it. We were actually paying for a service that was a branch of our CRM [customer relationship management]. It was fine, but it was cumbersome. It was not cost-prohibitive, but it didn’t make sense to spend $100 a month for this upgraded secure opportunity to store all of our files when, ultimately, we know we want to go to the cloud eventually, which again was part of our initial discussion.
Anderson Technologies said, “Based on what you’re telling us and on our experiences with HIPAA requirements, after we implement a new backup process you can put everything out on OneDrive and it will be just as secure.” Now having said that, “Check with your broker dealer” was Mark, Amy, and Farica [Chang, Director at Anderson Technologies]’s advice, “and make sure they don’t have additional requirements.” So they really covered all their bases saying, “Here’s our expertise, here’s who we recommend you double check with on your side, but here’s what we think the answer will be.”
Ultimately we went from spending $100 a month on an application system that was cumbersome, difficult to use, not intuitive, to something that integrated with our day-to-day applications in Office 365. [We went from a process of] … either adding files, which took 30 seconds, to retrieving files, which took take a minute per file based on the old system. Now we’re able to say, “Great, we’re going to access this just like anything else,” and it’s right at our fingertips in seconds.
While it may seem nominal reducing 30 seconds or a minute down to a couple of seconds, it makes a big difference when that is your day-to-day, in-and-out job.
Creating those efficiencies is invaluable to an office like ours. I would sit here and try to open something and go through a series of clicks, or because the system was slow I found myself getting distracted and checking emails when it was something that should have been my singular focus. Now I can do that.
AT: How did the audit lead to a partnership between your firm and Anderson Technologies?
AA: It was the attention to detail. After the audit, we decided we wanted to work with Anderson Technologies. We like your process, we like that we feel like a priority, which was a huge gap in our previous provider’s services. Being able to sit back and [have Anderson Technologies] say, “Here’s everything we recommend for you guys. These are the routers you need, these are the wireless access points,” and just going through and itemizing each thing and saying, “Here’s what you will see as a result of making these changes, and here’s why this is good for security, this is why this is good for speed,” was just a huge relief.
The day they came in and installed everything, it just felt like, “Great, this is one less thing I have to worry about, one less thing that I can sit there and double check and question.” I feel like these are people that have actually taken the time to say, “This is the right solution for you, and we’re on top of it and we know when it is no longer the right solution for you.”
Interested in reading more about how Anderson Technologies provide support through system administration? Click here!
AT: What do you see in the future for your partnership with Anderson Technologies?
AA: One of the things we love about you guys is you’re very similar to how we operate. We sit down with clients and everyone’s happy until there’s a problem. No one knows that they have an issue with their IT provider until suddenly they can’t get online, suddenly their phones don’t work, whatever it might be. Same thing with wealth management. Everything’s fine until the market crashes and everyone wants to call you. We get it. But you guys are also really good and you have a similar process in that you lay out line item by line item, “This is what you can expect, and if this is what you need here’s what we can deliver.” You have this level of understanding.
It’s the peace of mind that I get knowing that Anderson Technologies is watching out for not just the hardware and software, but when I walk in in the morning and that if there’s something wrong, [Senior System Administrator] Eric Dischert has already called me, explained what it is, and explained how he’s fixing it. There’s a level of proactivity there that cannot be undervalued. I’ll open a ticket and … I get a response almost immediately saying, “Here’s the deal, we know what’s going on, we have a solution” or ”We need more time to find a solution because of this,” and then I at least know that my emails are going somewhere.
AT: Thanks for taking the time to speak with us, A. Do you have any final thoughts before you go?
AA: If there’s something that you didn’t get for your article let me know, because God knows I’m pretty sure Anderson Technologies has checked that box for me.
Do you trust your computer’s security to anonymous department store employees?
For many, the low price, high convenience, and ease of taking a home computer or laptop to a store like Office Depot or OfficeMax for maintenance or repair far outweighs any risk that would normally be associated with a stranger sifting through your files. A solid reputation for service makes a free scan from stores like Office Depot seem like the perfect solution to minor computer issues.
Unfortunately, between 2009 and 2016, one corporation violated the trust that comes with that reputation.
PC Health Check
During this time, Office Depot/OfficeMax utilized an application called PC Health Check and ran the program as part of its in-store computer services. The program’s free scan was marketed to check the “health” of PCs by scanning for malware. However, instead of actually checking the computer, if any one of four signs of probable malware were selected by the user, PC Health Check automatically reported the presence of malware and suggested the user pay for PC cleaning and repair.
PC Health Check was licensed to Office Depot and OfficeMax by Support.com, who received a percentage of each purchase. In late March, the FTC reported on their ruling that the companies will now be prohibited from making deceptive claims, and will pay $35 million in fines to the FTC, which the government will then distribute as refunds for fraudulently-triggered purchases.
Ars Technica reported that in November of 2016, this scam was exposed by Jesse Jones of news station KIRO 7 in Seattle. The investigations team ran six brand new computers through PC Health Check, and four of the six were flagged with symptoms of malware, even though the computers had never been connected to the internet. These same computers were found to be malware-free by an independent IT services provider!
After this report, Office Depot/OfficeMax pledged to take appropriate action and pay the agreed-upon fine. According to the FTC, that had not yet happened, though the PC Health Check program’s use was discontinued.
Read about Anderson Technologies’ approach to managed IT services here!
This FTC ruling should serve as a warning to anyone soliciting unneeded maintenance and repair, but it’s also a warning for consumers. The security of your business machines and network shouldn’t be trusted to just anyone.
Ask questions. What evidence does the IT services expert have for the action they propose? Does the software they utilize for diagnostic purposes have a solid reputation? Have other individuals and businesses experienced positive results after working with the expert or team?
At Anderson Technologies, we recommend cultivating a relationship with your IT services provider over time. The best results come from managed services providers who interact with all levels of your network and computer systems. Of course, emergencies happen, often when we least expect it. In those cases, resist the temptation of a quick fix even from a brand name.
Could you be eligible for a refund from the FTC in this case? Click the Get Email Updates button on their announcement. Seeking an alternative to cookie-cutter IT support? Contact Anderson Technologies and see how we’ve earned our reputation over twenty-plus years.
Is the mess of cords and cables in your server room weighing heavy on your mind? Whether or not you rely on a managed services provider (MSP) to keep your IT systems organized and in check, you have a responsibility as a business owner to understand the hardware that keeps everything running.
Misinformation about firewalls is one of the most common issues we see at Anderson Technologies. When asked “Do you have a firewall?” most business owners will emphatically respond “Yes!” without realizing that they’re unfamiliar with the hardware that they think is safeguarding their company. That dusty router in the corner of the phone closet or server room probably isn’t doing much more than its job, which is definitely not to protect your network.
We’ve previously written about the differences between hardware and software firewalls, and Anderson Technologies always recommends an enterprise-grade hardware firewall for businesses under our care. But don’t let that be the extent of your knowledge!
Below we’ve compiled a quick guide to understanding the nuances of your firewall and related equipment. By using the tips below, you’ll have an extra level of familiarity when discussing your hardware options with your MSP or teaching your employees proper cyber security protocol, as when striving for HIPAA compliance.
Read more about System Administration from Anderson Technologies here!
- Get to Know Your ISP
You might be asking, “What does my internet service provider (ISP) have to do with my firewall?” The answer to this question varies greatly depending on your network setup. When asked about firewalls, many business owners automatically point to their internet modem or router, and misinformation from ISPs and previous MSPs are to blame.
Most home networks don’t have or require a separate hardware firewall, because the modem and/or router provided by your ISP may have a basic one built in—that is, if it’s configured correctly (more on configuration in #2). Businesses, on the other hand, almost certainly require a more robust level of protection in the form of a hardware firewall. Though HIPAA’s security standard §164.308(a)(5) doesn’t explicitly state the particular hardware necessary to protect against malicious software, having a trustworthy firewall can help and is well worth the investment beyond regulation compliance.
Your ISP factors into the firewall equation at a very basic level. After all, if you don’t have an internet connection, what is your firewall protecting? Your MSP can easily adjust things like wireless access points and device connections, but if there’s a problem with the internet itself there’s not much we can do. Whether you’re using your wireless router’s built-in firewall or an enterprise-grade Meraki, that stream of internet flowing into your business relies solely on your ISP.
Along with your IT services provider, your ISP is a partner and resource when it comes to the technical workings of your business. Always have your ISP’s contact information handy in case a security or performance problem is coming from the foundation of your network—the internet itself.
- Configure, Configure, Configure!
Configuration is a term that tends to scare those who don’t consider themselves “tech-savvy,” but at its root, configuration is nothing more than telling your devices how to work.
Think about it this way: when you bring your new smartphone home, it won’t have any of your personal settings or information. Maybe the menu text is too small to read, or the brightness and sound aren’t set to your liking right out of the box. Fixing these settings may take some general knowledge about how the phone works, and possibly some investigation and deduction. But once you’ve changed all the settings to fit your lifestyle, the phone will be working for you and not the other way around.
Configuring your firewall and other network equipment works pretty much the same way, but with nuances that might require outside IT services. Firewall configuration determines which user accounts can manage the firewall’s settings, which computers can access different layers of confidential data, and any other restrictions you need to implement. After this, your firewall will know exactly how to act in a way that meets your business’s individual needs. Guides on configuring your firewall on your own aren’t difficult to find, but when it comes to your business’s firewall, if you feel unsure about how to program it, consulting with a professional is recommended.
- Bolster Your Network—Inside and Out
Businesses are prey to targeted attacks more than ever, according to Symantec’s 2019 Internet Security Threat Report. Cyber criminals are stealthier in how they infiltrate networks and know how to take advantage of any weakness. Your firewall serves as your network’s dedicated bodyguard, but what is a bodyguard without backup when trouble arises? Supplement your firewall with both inside and outside reinforcements.
Network protections from the inside include intrusion prevention systems (IPS), robust antivirus/antimalware software, and protective buffers like Proofpoint or multi-factor authentication (MFA). If a cyber threat circumvents the firewall by entering your network from the inside—such as from unregulated permissions or compromised or unpatched software—security software can mitigate the damage. Inside protection also includes ransomware detection and data backups in case the worst happens.
What about protections outside your firewall? Those can be more difficult to implement, if only because they deal with the most vulnerable factor in any security network—humans. Email filtering tools (like Proofpoint) and internet content filtering software (CFS) can screen most of the potential threats that present themselves to your employees. But all it takes is one employee opening one spammy link from a spear phishing email, and your whole network becomes victim to a targeted attack. Everyone on your team needs to have the same awareness, goals and training because firewalls can only do so much on their own.
Firewalls are amazing investments that can save your business hundreds of thousands in the long run by preventing devastating cyber attacks. It’s important to know what’s going on beyond all those cables, circuit boards, and blinking lights. And when someone asks if you have a firewall, you’ll be able to confidently point out the device and know your network is protected.
In part 4 of our HIPAA series, we dug deep into the Security Risk Analysis (SRA) and how to perform one. This time, we’re going to look at what to do with the SRA once it’s completed. The SRA serves as a starting point for fulfilling many of the standards of the Security Rule, but its most important function is to help you create a risk management plan to mitigate and monitor the risks you identified. The risk management plan will determine what actual changes you make to ensure your electronic protected health information (ePHI) and your business are safe from all reasonably anticipated threats.
What is a Risk Management Plan?
In the SRA, risk is identified, current security measures are evaluated, and the potential impact of a vulnerability being exploited/triggered is determined. A risk management plan takes all that information and turns it into a plan of action. It prioritizes the risks with the greatest impact, puts plans in place to mitigate the danger, implements those plans, then evaluates whether the risk is brought down to reasonable and appropriate levels.
The SRA and the risk management plan together serve as the foundation for compliance with the Security Rule. If you’ve performed a thorough SRA and created a comprehensive risk management plan, many later standards may be fulfilled in the process of implementing the plan and mitigating the identified risks.
A comprehensive risk management plan also serves to satisfy several HIPAA standards.
- 164.308(a)(1)(ii)(B) – Risk Management: Implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level to comply with §164.306(a).
- 164.308(a)(8) – Perform a periodic technical and nontechnical evaluation, based initially upon the standards implemented under this rule and subsequently, in response to environmental or operations changes affecting the security of [ePHI], that establishes the extent to which an entity’s security policies and procedures meet the requirements of [the Security Rule].
4 Steps to Creating a Risk Management Plan
- PrioritizationThe first step of analyzing the data produced in the SRA is to prioritize which risks need to be addressed immediately and which can be addressed in the future. All risk eventually needs to be dealt with, but budgets, manpower, and immediate threats will all factor into how and when.It’s vital that senior management is involved in the risk management planning process. Mitigating risk to a reasonable and appropriate level may require considerable investment of both time and money. New hardware infrastructure or outside help from IT professionals may be necessary, and employees’ time may be needed to create new policies and procedures and train staff. Even if the budget-makers aren’t involved in the SRA, having them involved in the risk management plan will help to prioritize what needs to be handled first, and allow them to see why the investment is necessary.
- MitigationOnce the risks are prioritized, the next step is to decide how to mitigate the possible danger. Just as with the rest of HIPAA, how this happens is determined differently by each company depending on the level of risk posed and the resources available.What’s important to remember is that the goal is not to eliminate risk all together. If it’s possible to do so and still have a functioning and sustainable business, all the better, but for most businesses, the complete elimination of risk may be either too expensive or too prohibitive to actually continue fulfilling their core mission. The goal of mitigation is to reduce risk to a reasonable and appropriate level. Do all you can within your means to protect ePHI.
We cannot stress enough that while cost is one factor to consider in your mitigation strategy, it alone cannot be used to justify not mitigating risk if the likelihood of a threat and the potential impact are severe enough.
- ImplementationA comprehensive risk management plan is useless if it’s not implemented. Failure to put the new policies and procedures to safeguard ePHI into action throughout your company can result in the vulnerabilities you identified being exploited: exposing ePHI, your company losing trust, and incurring serious fines.Implementation needs to occur at all levels of your business, from documenting the newly created policies and procedures, to infrastructure investments, to checking the settings on hardware you identified as a risk. According to NIST SP 800-39,
The objective is to institutionalize risk management into the day-to-day operations as a priority and an integral part of how organizations conduct operations . . . recognizing that this is essential in order to successfully carry out [business] missions in threat-laden operational environments.
NIST is talking about IT operations, but the same is true to all threats to ePHI. A culture of avoiding or mitigating risk at every level can produce a working environment that protects ePHI and strives to maintain security measures. Remember, the risk management plan is essentially a plan of action that must be put into practice to be successful.
- EvaluationImplementing your risk management plan won’t protect ePHI if, ultimately, the mitigation strategy you chose doesn’t work as expected. That’s why evaluating the success of your risk management plan after implementation is important. Once in place, you may find that what you thought would mitigate the risk hasn’t done so, or hasn’t done it as well as necessary to bring the danger down to reasonable and appropriate levels. Or you may find that while it does mitigate risk, it also causes severe difficulties in the day-to-day operations of your business. In these cases, another strategy may be more successful for your business in the long run.§164.308(a)(8) also requires covered entities to “perform a periodic technical and nontechnical evaluation . . . in response to environmental or operations changes . . . that establishes the extent to which an entity’s security policies and procedures meet the requirements of [the Security Rule].” This means that subsequent SRAs need to be performed and your risk management plan re-evaluated whenever there are major changes to your business or IT infrastructure that could affect ePHI.
Like we mentioned in Part 3 of our HIPAA series, documentation is a constant part of compliance with the Security Rule, and the risk management plan is no different. Having a clear record of what you planned, when and how you implemented the plan, and the success or failure of those actions are necessary not only for your own future use but also in case you’re audited.
The Cycle Never Ends
The most important thing to remember about risk is that it never ends and is always finding new ways to threaten your business. You have to keep moving right along with it. Risk management is a continuous cycle of analyzing risk, implementing a plan to fix it, determining if that plan worked, and repeating.
For some businesses, performing an SRA and updating a risk management plan might be an annual activity as part of their HIPAA compliance. Other businesses that have fewer risks and fewer changes to the business may decide to wait two or three years between SRAs. It all depends on what is reasonable and appropriate for your organization.
Just don’t stop moving through the cycle of risk management. Danger doesn’t stop changing, and neither should you.
If you need help implementing the IT requirements of your risk management plan, contact Anderson Technologies today at 314.394.3001 or email us at firstname.lastname@example.org.
If you’re a regular reader of our blog, you might recall that we’ve written about Anderson Technologies’ avoidance of canned, one-size-fits-all solutions for IT. As a small business that specializes in serving other small businesses, we know that different clients have different needs. What works best for a small local nonprofit organization might cause more problems than it fixes for a bustling assisted-living facility.
A St. Louis law firm experienced this firsthand when they were looking for a new IT services provider.
A Personalized Approach
Founded in 1986, this law firm began as a family-owned and -operated law firm. Attorney L. C., stuck to the firm’s guiding values and became the third partner in 2010.
The firm specializes in tax law, as well as business and commercial law and estate planning. “We do the type of planning that you find at a bigger firm,” L. C. says, “but we do it in a way that’s more approachable to the business owner.”
We can put ourselves in their shoes and say, ‘This is what I would do for my business if I were you.’ I think that’s a value that you don’t get everywhere.
Much like Anderson Technologies, this law firm focuses on serving local small businesses. “The types of planning we do for our clients you would traditionally find at larger firms, where most of the people you’re meeting with are partners but they don’t know what it takes to run the business,” L. C. says. “They can’t tell you those things that small business owners really do feel.”
L. C. continues: “Most of [our clients] are business owners, so we treat them the way we’d want to be treated—or better. We can put ourselves in their shoes and say, ‘This is what I would do for my business if I were you.’ I think that’s a value that you don’t get everywhere.”
Appealing For Change
L. C. recalls that when she first started at the law firm, the firm only had a server without backups to the cloud. If something went awry, their one-man, paid-by-the-hour IT provider would come and perform a quick patch job. Though this was a solution for any immediate emergencies, L. C. knew that they could benefit from investment in a new server backup system or better IT services altogether.
“Like any business owners, we don’t have time to deal with anything unnecessary in our day and we certainly don’t want to deal with technology that we don’t understand causing us issues,” L. C. says. “It’s crucial to have somebody who will always be available to answer those questions for you, because they do come up, even if you try to be proactive about it.” For L. C., moving to managed services seemed like the right option.
After transitioning to a different IT company who advertised remote service capabilities and made empty promises of new hardware,the law firm decided to reevaluate their needs and priorities concerning tech. “Maybe we should look at that relationship,” L. C. remembers thinking of their previous IT partner.
The final straw happened when they moved the law firm to Office 365 and OneDrive. This enterprise-grade business software has numerous benefits, but to this law firm, without guidance from a managed services provider, it was more of a hindrance than an upgrade. “No one was telling us proactively ‘don’t put your computer to sleep’ or ‘don’t turn them off when you leave the office,’” L. C. says. This led to broken processes and incomplete data syncing that, even though the law firm had all new computers, were working less effectively than before.
I’m just going to get out a typewriter and write letters that way because it would be faster than having to deal with my computer.
Instead of getting to the root of the OneDrive syncing problem, the law firm’s previous IT company created a workaround that was inconsistent for the firm’s daily functions. Even less helpful was the company’s unapologetic attitude about the entire situation. “I didn’t get that they really gathered how annoying that glitch had been for us,” L. C. says. She remembers telling them “I’m just going to get out a typewriter and write letters that way because it would be faster than having to deal with my computer.”
Finally, L. C. met Anderson Technologies’ Principal Amy Anderson at a local networking event, and she decided to get a second opinion about their conundrum. “I’d heard her talk about their complimentary technology assessment,” L. C. says. After hearing about what the law firm had experienced, “[Amy] said, ‘That doesn’t make any sense. Office 365 and OneDrive are widely used. It must not be configured properly because there’s nothing unique about your situation that would cause it to work so poorly.’”
The red flags that came up in their 2018 assessment were things that small businesses usually don’t realize they should be looking for, such as the lack of an enterprise-grade firewall and wireless internet routers—which their previous managed services provider should have immediately remedied. Since the law firm deals with sensitive client data, ensuring they had a secure infrastructure was a top priority. And the issue with 365 had to be resolved in order to ensure their data was being replicated and shared internally properly.
After working with Anderson Technologies, L. C. says: “I trust that they’re not going to do something wrong and that they wouldn’t be telling me to buy something I didn’t need or that they wouldn’t do for themselves.”
Although L. C. is very enthusiastic about Anderson Technologies’ technical work, her real trust lies in Anderson Technologies’ accountability and responsibility to clients. Like the law firm, Anderson Technologies is a small business for small businesses, and this value assures that the client’s best interests always come first. “That’s kind of their approach,” L. C. says, “that if they were me, they’d do XYZ. . . . They’re going to actually do what they say they’re going to do.”
They’re going to actually do what they say they’re going to do.
Anderson Technologies continues to assist this law firm with onboarding new employees and installing hardware, including a high-speed scanner. Tax season is a very busy time for the firm, so it’s especially important that their computer infrastructure is now stable, ideally configured, reliable, and secure.