Contact Us Today!   314.394.3001   |   info@andersontech.com

Posts

Byte-Size Tech: Working from Home with a VPN?

/in , , /by

 

… What Could Go Wrong?

Mark Anderson and Libby Powers of Anderson Technologies take a moment to explain how a popular work-from-home set-up might not be providing the security you want. If you’re re-evaluating your remote work set-up, or considering a hybrid work (part time at home) model, it is important to dig into the security you’re really getting – not just the security you thought you had.

 

Related Reading

Contact Us

 

Transcript

Libby Powers: Hi, everybody, thank you for joining us on another episode of Byte-Size Tech.

Mark Anderson: Hi, everyone.

Libby Powers: Mark Anderson, one of the principal founders of Anderson Technologies. Today we’re going to be discussing working from home and having a hybrid approach using a VPN, right? Can you tell us a little about what a VPN is?

Mark Anderson: Sure, a virtual private network is the equivalent of stringing an orange extension cord from the corporate office to your home office and having that dedicated connection between the two.

Libby Powers: Got it. When all these companies were forced into this work-from-home situation last year, many companies were advised that the VPN was all they needed, whether it be a work computer or a personal computer, right?

Mark Anderson: Yes, exactly.

Libby Powers: Okay. We actually were talking to a company a couple weeks ago, and they were advised by another IT firm that the VPN was the only precaution they needed to take for working from home, whether on a company or personal computer. I’m pretty sure they were pretty upset to learn that that’s not it.

Mark Anderson: Well, VPNs are wonderful. We strongly recommend their use when you have data at the company that you need to have access to. But what you can’t forget is that it’s really important the level of security that is installed on the home office computer, whether it’s a laptop, or a normal workstation.

In this particular case, the individuals were using all home computers that had not been audited by the company’s IT department to determine whether they had the latest operating system updates, whether they had an enterprise-grade antivirus/anti-malware program installed. It was kind of a hot mess back at the home office that was then being exposed to the company and company data via all these VPN connections from everyone that was working from home. It was not good.

Libby Powers: So basically, what we’re saying is that—and I was very surprised to learn this is, as I have kids, obviously many of us have kids— everything that the kids do on their devices, whether it’s even on the device you’re working on, your personal computer, maybe they have an iPad or a laptop or something for whatever they’re doing, it’s affecting the network, right?

Mark Anderson: Well, it can be, right? Because the issue is that if someone [or their] child has a computer, and they click on something they shouldn’t, and something is installed then on that that particular computer, anything that is attached to the network could be at risk. So any other computer— namely, the one that the individual is using to connect to the corporate office—that one could be infected by something that had gone on with your kids’ computers, so you just have to be very aware of that.

Libby Powers: Then what are some of the additional protocols?

Mark Anderson: Sure. If the company cannot afford to send dedicated laptops home with every employee, then you need to get into, “All right, well, what devices do I have attaching to my network, and what kind of software is installed on those devices?” Each one of them truly needs to be audited, and then we would highly recommend that those free antivirus programs get deleted, and more enterprise grade ones get installed.

Libby Powers: So you’re saying that the free antivirus that comes with my computer when I buy it is not enough?

Mark Anderson: It’s usually not adequate. That’s correct. Well, that’s probably a subject for a whole other video because there’s a lot of detail which goes into that as well.

Libby Powers: That’s good to know. Well, I think the key takeaway here is that so many of us were forced into doing a work-from-home or a hybrid, and many companies were advised that the VPN was kind of a silver bullet, and we know that it’s not. Just make sure you’re working with an IT company, and that they really understand the need and necessity for possibly having other softwares in place to protect your company data even further.

Mark Anderson: Sure, that’s right.

Libby Powers: Awesome. Well, you can read more about this on our blog, and I look forward to having another conversation with you regarding the actual software that you get for free and all that entails. Thanks, everybody!

Mark Anderson: Thanks for listening. See you next time, bye-bye.

Byte-Size Tech: Make Big Changes with IT In Mind

/in , , /by

 

Amy Anderson and Libby Powers of Anderson Technologies take a managed IT services provider approach to big changes. In light of the tumultuous last year, many businesses are facing an office move, remote work, or rightsizing operations. If you are too, be sure to plan with your IT needs in mind. The best way to do this is in partnership with your IT provider, because a DIY approach may end up causing more problems than it solves.

 

Related Reading

Contact Us

Transcript

Libby Powers: Hi, everybody! Welcome to another episode of Byte-Size Tech. I am joined today with Amy Anderson, Principal of Anderson Technologies.

Amy Anderson: Hi, everyone! Good to be here.

Libby Powers: Today we’re going to discuss something that nobody really thinks about. Over this past year, there’s been a lot of movement—whether your employees are moving from office to home, or home back to office in a hybrid model, or your company’s downsizing, upsizing, just all this movement. One of those big things that nobody ever thinks about is how they’re going to move their IT.

Amy Anderson: Yeah, it’s true. We moved into this office about a year ago, and I can relate. It’s a big project, you’re trying to run a business, and it’s almost like you have two jobs trying to figure out how to lighten that load on the IT. I have a few thoughts about that today.

Number one is planning. Start early. Don’t forget about IT. I know we’re all excited about where everyone’s going to sit in the new offices and the tables and chairs, but think and plan ahead of time with the IT. Make sure that either you or your IT provider are looking, coordinating with your ISP—your internet service provider, if it’s Charter or AT&T— because sometimes there’s a lot of complicated things they need to do and you need to coordinate early.

What else were we thinking about?

Libby Powers: You had mentioned something to me that you need special plug-ins?

Amy Anderson: Oh, yeah, you just need to pay attention to those little details. In our server room, we have an APC battery, and it has one of those big round fat plugs.

Libby Powers: Kind of like a dryer?

Amy Anderson: Yeah, like a dryer. I can’t remember, it’s called a NEMA plug, actually. So you need to make sure the electrician’s been there, that you have everything you need, look at your low voltage wiring.

We really recommend that every employee has a hardwire to their computer, not Wi-Fi. Wi-Fi is good to have as well, but not as your primary. Hardwire is a lot more reliable, and you don’t want to have to be calling your IT support desk as often.

Libby Powers: Many years ago I was working for a company that moved from one location to a completely new location. Then within that location, while the office space was being built out, we were in this like little cubby hole, like ten of us in this crazy small room. We were tasked with moving all of our IT. Basically, I had to move two screens, my computer, all of the equipment, and I was tasked with setting it all back up. Well, for a non-tech person, I had to ask six other people where to plug things into. Now I know now, luckily.

Amy Anderson: What we found over the years that sometimes people try and do that thinking it’s going to be less expensive, but it ends up being a spaghetti mess and it takes more time for IT people and more money for them to come in and get it all organized.

I really recommend, don’t have a traditional mover or your employees move your IT. Have an IT team that’s knowledgeable about it do it for you, they’ll hand do it, and sometimes when it’s really complicated, they’ll take pictures ahead of time, maybe in the server room, to make sure that everything gets put back exactly right, which saves you money because if it’s not done right they don’t have to spend hours figuring it out.

Libby Powers: That’s awesome. So one of the big takeaways is plan, plan, plan. And don’t rent a U-Haul.

Amy Anderson: Exactly. And you’ll have a really smooth move. You’ll move all your workstations, get those set up, and then the last thing, if you have a server, would be to move your server, and everything will be peachy and you’ll be happy! You can get back to business.

Libby Powers: We really appreciate that, Amy. Our key takeaway here is just that you want the most productive team during this move, so the less downtime is going to be important. Make sure you’re working with a company that can do that for you.

Amy Anderson: Thanks for joining us today.

Libby Powers: Thank you all. Have a great day.

Byte-Size Tech: Insure Against Tech Disaster

/in , /by

 

Anderson Technologies’ Junior Systems Administrator Quentin Topping sits down with Libby Powers to talk about the little things a managed IT services provider does every day to protect from big disasters. Sometimes, things like insurance and maintenance can seem useless, but insuring your business against potential disaster is something you’ll wish you’d done before the worst happens.

 

Related Reading

 

Transcript

Libby Powers: Hi, everybody! Welcome to another edition of Byte-Size Tech. I am joined with Quentin today. He’s one of our Junior System Admins. Quentin, you want to introduce yourself?

Quentin Topping: As Libby said, I’m Quentin Topping. I am a Junior Systems Administrator here at Anderson Technologies. I deal with all our on-the-ground computer work.

Libby Powers: He’s very much in the trenches every day with making sure that our clients are receiving the best level of support possible. And honestly, kind of what you do is to make sure that they’re not calling in to us because we’re proactively figuring out what’s going on with them and, if there’s an issue, just taking care of it.

Quentin Topping: Exactly, I would much rather keep you from having an issue at all then have to try and fix something.

Libby Powers: Awesome! So something that Quentin and I were discussing is insurance. We have insurance for many things: we have insurance on our house, we have insurance on our car, some of us may have insurance on our pets, so there’s some truth for many reasons. And why we use that insurance, or why we pay for that insurance, is because we want to make sure that in the case of something happening, we’re going to be covered. Correct?

Quentin Topping: Exactly.

Libby Powers: Okay. Something I was telling Quentin is several years ago, I had a house fire, and it was a total loss. And four days before the house fire, I was able to sign homeowner’s insurance, which took care of a lot, not the memories but those things that we lost, like clothes and stuff like that. We equate that with what we do. We are your insurance for anything: data loss, ransomware… Can you talk a little bit about that?

Quentin Topping: Yeah, absolutely. Preventative maintenance is as much of what we do as active repair and active maintenance. When you call in about your Outlook working or your programs not working, our goal is to also try and prevent those issues from ever arising. IT management is about prevention, recovery, and active maintenance.

Libby Powers: What are some of the things that you do on an ongoing basis that would be this preventative maintenance, kind of like changing the smoke detector in your house?

Quentin Topping: We like to check your system to make sure it’s up to date, we like to make sure all of your programs are up to date, we actively monitor ongoing security threats that are known throughout the country, and we actively take the steps to make sure your system is not rolling the ball to those common threats.

Libby Powers: Something that Quentin said to me which I really liked was we are kind of your fire department that would you would call and say “I have an issue.” But instead of the entire fire department coming, they would just be able to put out the fire from wherever they were. Now we know that’s not going to happen with an actual fire, but if you’re having a meltdown in your business, just think of being able to call somebody who could fix that in a moment’s notice. Right?

Quentin Topping: Exactly, that’s the joy of the computer world we live in. We can, with a press of a button, turn everything back to the way it was. Recovery is just as much a part of prevention as actively monitoring threats. We—a lot of places—will provide the ability to recover your data. So if your system goes down, you lose access to your email, we can recover that to the last state we had it in. An analogy I told you before is like if the fire department had a copy of your house saved at the fire station they could provide to you after it burned down.

Libby Powers: Oh gosh, wouldn’t that be handy? Who knows, with 3D printing these days, who knows what’s going to come about. Anyway, we hope you understand why having a managed IT company work with you and proactively monitoring your IT infrastructure and security is really important, not only for your business, but for all of your data. I appreciate you joining me today, Quentin. Hopefully we can do this again. Reach out to us at any time. Thanks so much. Have a great day. Bye.

Contact Us

Byte-Size Tech: Don’t Get Zoom-Bombed!

/in , , , /by

 

Mark Anderson and Libby Powers chat about Zoom best practices and share the story of a client who recently got Zoom-bombed after posting the details of their call publicly. Zoom has some security features baked in, but be sure to toggle them and use the tips Mark and Libby share to ensure you have the best Zoom experience! And if you’d like to read more about these tips, check out our blog on the subject!

 

Related Reading

Contact Us

 

Transcript

Libby Powers: Hi, everybody. Thank you for joining another edition of Byte-Size Tech. I’m here with Mark Anderson of Anderson Technologies.

Mark Anderson: Hi.

Libby Powers: Everybody was forced into video conferencing in 2020. And there’s a lot of funny stories that actually came out of that, but there’s also some pretty serious things that that arose. One of the big things is “Zoom bombing,” and it actually happened to one of our clients in a significant way. So we want to tell you kind of what happened with them, and what you can do to protect yourself.

Mark Anderson: Great. Thanks, Libby. Yeah, one of our nonprofit clients on the East Coast was hosting monthly meetings, and in order to reach the most people, they decided that they would put the invite for the Zoom meeting up on their public facing website, including the ID and password. I love the ability to reach a lot of people on the web, but you’ve got to be so cautious about the information that you share. So, instead of that, it would have been lovely to have a registration page or something along those lines.

Libby Powers: And during that meeting, something significant happened, right?

Mark Anderson: Yeah, unfortunately, right when they were getting into an inspirational portion of the meeting, pornography showed up on the screen. Obviously, this is not what anyone wants to see or have happened to their rather serious meeting, so they shut the meeting down immediately.

Libby Powers: With the help of you guys, right?

Mark Anderson: Yes, yes, right, and then help them to send out new invites so the meeting was held on the day. But we needed to have a discussion about some very simple things that we all can do to make our meetings more secure.

Libby Powers: You know, those things are going to be on any video conferencing software, right? So whether or not you’re using Zoom or Teams or Citrix or anything like that.

Mark Anderson: So just from a very high level, guys, what you want to do is always have a unique meeting ID even though, in many of these services, you’re when you sign up for them (granted, a personal one) have a unique ID. Be sure to set a password, obviously, that you don’t share in a public way. If possible, you can also go in and alter the settings for the meeting to either establish a meeting room, have people come in on mute, or with their video turned off, or potentially turned on. In Zoom’s particular case, if you require everyone that’s coming to the meeting to have a Zoom ID, if anything were to go on that would be deemed negative, that activity is tied to an ID to allow you to take a little bit more specific action about it.

Libby Powers: We actually have an article on our blog written about this, as well as some really great tips and tricks for you to secure yourself. There’s a link at the end of this video for that blog. I urge you to go check it out. Thanks so much. Thanks, Mark.

Mark Anderson: Stay warm, everyone. It’s 12 degrees outside right now. That’s our lovely digital window. Okay, bye.

Human Behavior Impacts Cyber Security

[Updated for 2020] – “The Russians Have Hacked into Our Computer…” – Human Behavior and Cyber Security

/in /by

Anderson Technologies reports on a wide variety of topics to help keep you and your business’s technology safe from harm. But sometimes preventing trouble isn’t about the hardware or software you deploy—it’s about the people you employ.

The year 2020 has been host to worldwide climate disasters, a global pandemic, and political and social upheaval. Bad actors take advantage of chaotic times and prey on those most vulnerable. Whether you consider yourself tech-savvy or not, it’s more important than ever to be vigilant about your digital communications.

We all know someone who has fallen victim to a phone or email scam. Some of us might have received a desperate call from a friend or family member trying to undo an unknowingly self-inflicted intrusion on their personal or financial information. Members of the Anderson Technologies team have received such calls, one of the more memorable being, “The Russians have hacked into our computer, and we’ve been on the phone for a half an hour or so with India. The guy’s helped me reestablish my password, but he thinks we should do some further work and maybe take the modem to the Apple store.”

This is so common that it’s become part of our cultural understanding, and it’s likely that you have even joked about “Nigerian princes” or romance scams that target people just looking to connect with others. Why would the Russian government want to hack your personal home computer? Why would a Nigerian prince choose you to receive their inheritance? Thankfully, in many cases, experts are involved before permanent damage is done.

What you might not know, however, is that even the corniest scam could have a network of planned, patient individuals behind it. Scammers target unsuspecting users and gather data publicly available on the web or sold in data breaches to build trust and elicit the missing pieces needed to access private account information. But how do these choreographed schemes apply to your business?

It’ll Never Happen to Me

Who do you picture when you hear the words “scam victim”? Several stereotypes may come to mind: blue collar workers, bored housewives, or older folks, to name a few. But if you don’t fall into those categories, it’s too soon to consider yourself safe! Thinking scammers won’t attack because you’re an improbable target leaves you exposed and off guard.

For this, we can blame optimism bias, which is the tendency for individuals to believe they are less likely than others to be vulnerable to negative events. Even when the Better Business Bureau (BBB) or the Federal Trade Commission (FTC) releases accounts and warnings about the thousands of scams reported each day, in-the-know readers might react by thinking these threats don’t apply to them. Aren’t you too smart to be fooled? What would you have that a hacker would want anyway?

Money and data are the driving forces behind nearly every cyber scam. Whether that scam affects an individual or an entire business, any instance of a bad actor getting past cyber security safeguards runs the risk of damaging your business. And when you consider the inaccurate stigmas surrounding scam victims that is pervasive in our culture, it’s even more difficult to stop the problem at its source.

“We often don’t want to acknowledge to ourselves that we’ve been conned. It’s crazy how often you have people who, even when you present them with evidence that they’ve been the victim of a scam, refuse to believe it. The other thing is even if we do realize we’ve been scammed, we often don’t want to let other people know, because we’re embarrassed.” – Maria Konnikova, author of The Confidence Game: Why We Fall for It … Every Time, in an interview with The Cut

But We Have a Firewall!

Personal consumer or romance scams may not seem like they’re much of a threat to your business. Like any physical crime, cyber criminals can’t gain access to your business unless there is a vulnerability or breach of some sort, such as when someone opens an email or answers the phone. Who your employees share information with on their own time may not seem to be your concern as a business owner, but good personal practice translates into a stronger, safer business.

Phishing and spear-phishing campaigns are some of the most commonly-encountered scams, and they’re now more dangerous than ever. Business email compromise (BEC) has consistently been one of the leading dangers to cyber security infrastructure in nearly every sector. No business, large or small, is safe.

Hacking into your business’s hardware systems or networks is only one way to gain unauthorized information. Dedicated spear-phishing tactics use data mined from public accounts and web activity to target specific departments or employees. The only thing that separates personal consumer scams from business scams are the lies the criminal uses to try to break down your barriers.

Scammers often take advantage of brand familiarity and emotional response. Unexpected messages from a random email address or blocked phone number are much easier to ignore than a seemingly safe communication from Microsoft or UPS.

One scam that aims directly at businesses is the “Directory Scam.” Employees receive a call from a well-known or non-existent agency requesting business information to update their directory. When your employee provides them with your business’s address and contact information, they send a fake invoice for the “service” and, if questioned, often fire back with edited audio from their previous call that “proves” your employee accepted the charges.

Another targeted hustle that’s gained steam over the last couple of years is known as the “Grandparent Scam.” In the linked case study, the victim receives a call from a scammer who claims to be his grandson needing bail money. This scam may seem ridiculous, but many have fallen victim to it because the caller knows the names of the grandparent and child as well as other personal information that would encourage one to believe they’re telling the truth. The scariest part about this scam is that the scammer called this victim at his place of work, further illustrating that public data on the web is available to anyone with the knowledge to find it.

The “Nigerian prince” scams that often get joked about really did happen in the 90s, but this grift now encompasses a more extensive network than traditional romance scams of the past. Previously, organized groups known as Yahoo Boys would target susceptible victims and forge an online “relationship” with an individual. The fraudsters, named after the popular search engine, spend weeks or months keeping these scams going, until the scammer creates a convincing story about needing money from their online partner.

Now, COVID-19 has blurred the line between BEC and individual-targeted scams like those from the Yahoo Boys. Many people currently feel lonely, isolated, and desperate to make connections during what may be one of the scariest and most stressful periods of their lives. Higher numbers than ever have transitioned to permanent or semi-permanent remote work situations. This means that your business networks are now at risk in new ways, such as if an employee accesses a business connection from their home office and uses it to check their personal email. A bad actor can potentially find a weakness in the remote work environment that leads them right into your business.

“People who are going through times of extreme life change, for instance, are very vulnerable to con artists because you lose your equilibrium.” – Maria Konnikova

Scammers who’ve spent time learning about their target may have information that allows them to guess passwords or use public data available to anyone with the knowledge to find it. A simple personal scam can become the first step in a BEC attack that affects your entire business.

What Steps Can I Take to Protect My Business?

Bolstering the human side of your cyber security strategy is your business’s best shot at breach prevention. BBB is one of many organizations to provide a checklist of ways to educate yourself against common scams. While most of the lists aren’t geared towards business owners, many of the habits suggested can perform double-duty in both your professional and personal life. Anderson Technologies has a few tips for applying that knowledge specifically to your business networks:

  • Keep an open dialogue with your employees and vendors about cyber security practices. Educating employees protects their well-being as well as your business’s. Anderson Technologies has covered employee cyber security education in the past and takes it very seriously.
  • Educate yourself about what kinds of scams you or your business might encounter. The BBB has compiled a thorough list here.
  • Be wary of email attachments. If you didn’t request it, you probably shouldn’t open it.
  • Use technology to your best advantage. Know how firewalls, anti-malware software, secure browsing, and network safety can benefit your business.
  • Secure your remote connections. Make sure all employees understand and follow best practice guidelines while working from home. Provide company-owned and -protected devices for remote work.
  • Ask your IT provider about resources that can keep you safe. There are many programs that do some of the background work for you: NoMoRoboLastPassHTTPS EverywhereProofpoint, and so many more! Some of them are even free. Talk to a professional to determine the best investment for your business.
  • Question everything. Zero-trust practices can be employed over time, making universal authentication easier for everyone involved.
  • Any accounts with access to sensitive data need to be protected with MFA. Multi-factor authentication is a key method for stopping criminals in their tracks.
  • Never grant users administrative access. Only qualified IT professionals should have administrative powers and these should be used only when required.

The Yahoo Boys example mentioned earlier in this article is only one of hundreds of scams permeating every demographic, consumers and businesses alike. This is only one part of a concerning trend in 2020, in which cyber criminals and organized groups are taking advantage of global turmoil to target new vulnerabilities. Countless COVID-19 scams continue to emerge and threaten businesses, so it’s more important than ever to stay on top of every potential vulnerability, including employees you may not see every day.

 

For more information on avoiding scams in the time of COVID-19, download our free Work From Home Checklist or contact our team today.

 

Contact Us

MFA – An Extra Layer of Digital Protection [Updated for 2020]

/in /by

What do logging into Netflix from a new device, updating your PayPal account information, answering questions about your first car before accessing your iTunes account, and withdrawing money at an ATM all have in common? Authentication!

The National Institute of Standards and Technology (NIST) creates guidelines for passwords and the software that requires them, which Anderson Technologies has previously discussed. Technology is still changing to adopt these standards, so it is up to us to take cyber security into our own hands—and that includes business security practices. The most commonly used and overlooked of these measures is password safety and authentication.

Hackers are great at keeping up with technology, so as consumers and business owners, we must keep up with it as well to stay safe. Multi-factor authentication (or MFA) has been around for years, and it’s so common that we take advantage of it more than we might realize. MFA remains one of the strongest defenses surrounding our digital lives.

What Does MFA Look Like?

You’ve probably already encountered MFA without realizing it. Any website that utilizes verification codes or emails is using a form of MFA. A task as simple as changing your Apple ID requires MFA to confirm the new information. With the prevalence of data breaches across the globe, MFA can protect your account even if your password is compromised.

MFA as it applies to your business’ safety most often takes the form of software that requires a user to provide two forms of evidence proving they are authorized to access the system. This includes security codes, verification emails, security questions, and biometric software. Physical security keys, such as Yubikey, can be used as an identifier and ensure only the person with the device can access the accounts.

Applications like Google Authenticator or Authy can also be attached to countless logins by connecting your account information. Validated access to your account (your email, for example) is established with a unique QR code or numerical key that securely connects your mobile device. From that point forward, logging into the site requires not just your standard user name and password but also a randomized six-digit code available only on your device. This code refreshes every 30 seconds for even greater security.

Some sites and servers have their own internal methods of verification, and other MFA methods may require special hardware, such as badge readers. These are useful for businesses and organizations that use specialized systems to access confidential databases. This includes cashiers logging into their retail system or technicians scanning an ID card to pull up your file during a dentist visit.

What Are the Benefits of MFA?

If hackers get their hands on your login credentials, it’s easy to mine data from your other accounts. MFA acts as a barrier to the hacker by confirming the identity of the user attempting to login through secondary security measures. In this way, even if your password was compromised, it would be useless without physical access to your authentication device or account.

MFA is beneficial for companies who have employees on the go or working remotely. Using multiple layers of authentication allow remote employees to securely access encrypted data from unfamiliar networks and devices.

What Are Some Challenges to Integrating MFA?

Resistance to change is one of the tallest hurdles when integrating MFA into your business networks. Though MFA usually uses devices your employees already have (like their smartphones), some see MFA as inconvenient or time consuming. This is rarely the case when using simple applications.

MFA goes hand-in-hand with the Zero Trust security model, a tool that requires authentication at every step of the login process. New security concepts can be challenging to introduce in the workplace but, like all new plans of action, the multiple verifications will become second nature. Your company will greatly benefit knowing your data is secure.

You may find it valuable to coordinate with a managed services provider when integrating MFA to internal networks, especially if your needs require special enterprise-grade hardware. An IT support team can provide training to ease the transition for your employees, some of whom may be hesitant or feel they don’t have the time to properly implement MFA across all their accounts.

With a little practice and an IT team behind your business’s transition, MFA doesn’t have to be intimidating or bothersome—and the benefits are invaluable. For more information on how to keep your business safe using MFA, contact Anderson Technologies today at 314.394.3001.

Contact Us

The Murky World of Cyber Insurance

/in , /by

Anderson Technologies often reports on the rising dangers of ransomware or other forms of cyber attack and how to defend against them, but even the most diligent business can still fall prey to determined cyber criminals. A robust business continuity and disaster recovery plan can get you back in business without as much downtime, but the cost of the intrusion may continue to rise if personally identifiable information (PII) or electronic protected health information (ePHI) is exposed in the breach. Small business owners need to seriously consider adding a cyber insurance plan to their existing insurance coverage or they may find themselves without any financial support when they need it.

Why Is Cyber Insurance Necessary?

When cyber crime was just becoming a major financial problem, policies often did not explicitly include or exclude cyber attacks and damages. If the insured party claims that the damages incurred by a cyber attack fit the definitions of the policy’s terms and the insurer pays out, this is considered “silent cyber” coverage.

Some insurance companies refuse to pay for damages from cyber attacks, though, and many insurers have begun explicitly excluding cyber damages from general business insurance policies in favor of separate cyber insurance policies. Insurance companies have been taken to court for failing to pay this “silent cyber” coverage, and some policyholders have successfully won, but this is not always the case. That lack of guaranteed coverage should concern small business owners who do not have a dedicated cyber insurance policy.

What Types of Cyber Insurance Are Available?

When choosing cyber insurance policies, there are two main types of insurance coverage available: first-party coverage and third-party coverage. It is essential that buyers know the differences between these two types of coverage and carefully examine the necessity of both for their own company.

For a quick overview on what cyber insurance policies should include, the Federal Trade Commission provides a helpful checklist for small businesses.

First-Party Coverage

First-party coverage involves the costs incurred directly by the insured company as a result of a cyber attack. The types of expenses or damages first-party cyber insurance can cover include:

  • the cost to restore or replace data and software destroyed or stolen in a breach
  • the cost of investigating a data breach or cyber attack
  • income lost during downtime or spent to restore the business to working order
  • the price of a ransom demand, if paid
  • the cost of notifying all necessary parties, including customers, if PII or ePHI is compromised
  • the cost of crisis management to deal with the media/public fallout from a security breach

Third-Party Coverage

Third-party coverage involves the expense of legal action taken against you as a result of a breach. This could be by customers or by other businesses whose data is compromised. Third-party cyber insurance can cover:

  • claims of negligence that resulted in the cyber attack and breached data
  • claims for failure to fulfill a contract due to system downtime or lost data
  • claims of defamation, invasion of privacy, or copyright infringement as a result of exposed data
  • settlements or damages owed to injured parties
  • fines imposed by regulatory or state agencies

For businesses at risk of breaching client or customer data, both types of cyber insurance may be necessary to cover all possible expenses. A thorough risk assessment of the business can help determine the best course of action.

Denial of Coverage

Just because a business has purchased cyber insurance doesn’t mean the insurance company will pay a claim in the event of a breach. Many policies require businesses to maintain a certain level of cyber security infrastructure for a claim to be paid out or have exclusions for certain situations. The language in the policy can be broad, depending on the insurer or policy, so small business owners should thoroughly discuss what is expected and how the insurer defines the terms of all requirements and exclusions.

Some insurance companies provide a risk self-assessment to businesses before agreeing to sell the policy. If the business doesn’t maintain the standards laid out in the risk self-assessment, or if the answers provided are false or misleading—even by accident—then the insurance company can void the policy.

These exclusions have already been upheld in many cases of data breach. In 2014, Cottage Health System in California settled a class action lawsuit against them for a data breach of more than thirty thousand medical records. Their insurance company paid the $4.1 million settlement, only to later sue Cottage Health System for the money back, citing the organization’s failure to meet minimum cyber security standards and inaccurate information given on the risk self-assessment. This case is still in process.

An exclusions clause in P. F. Chang’s cyber insurance policy cost the popular Chinese restaurant chain $1.9 million after its breach of customer data, which included credit card numbers. The policy excluded any “contractual obligations” that P. F. Chang entered into with third parties. In this case the court agreed that P. F. Chang’s contract with Mastercard to pay fines in the event of a breach fell under this exclusion.

In order to ensure their policies provide the financial insurance they’re supposed to, businesses should:

  • carefully read all requirements and exclusions listed in the policy and make sure all vocabulary is clearly defined to avoid ambiguity
  • answer all risk self-assessments accurately and thoroughly, avoiding or explaining absolute questions (yes or no) whenever possible
  • invest in the level of cyber security required by the insurance company, or better
  • make sure the policy covers all the cyber attacks the business is at risk for
  • have both first- and third-party coverage, if applicable

The last thing a business needs after a cyber attack or data breach is to find out their insurance won’t help pay for the damages.

The Growing Need for Cyber Insurance

The necessity of explicit cyber insurance coverage is only becoming more prevalent. Fines issued by the Department of Health and Human Services for HIPAA Privacy and Security violations range from the tens of thousands to millions. At the same time, state and international privacy laws, like the California Consumer Privacy Act and the EU’s GDPR, are stricter and impose increased fines that raise the cost of a data breach.

No matter how secure your IT infrastructure is or how diligent your IT department or MSP is, it only takes one employee clicking on the wrong link or visiting an infected webpage for cyber criminals to invade your systems. When that happens, small businesses need the financial support cyber insurance provides to investigate the breach, recover the business, and manage the public damage. Without aid, the cost of a breach may prove too expensive for small businesses.

 

Don’t let your insurance company leave you high and dry in a crisis. Contact Anderson Technologies today to shore up your cyber security infrastructure. Call us at 314.394.3001 or email us at info@andersontech.com.

Contact Us

The Ultimate Guide to Secure Remote Work [Updated for 2020]

/in , /by

With the coronavirus in the news, more businesses than ever are considering whether telework is a viable option for their company and employees. But with new cyber threats and data breaches constantly reported, business owners have to ask themselves,

How do I maintain my cyber security when my employees work remotely?

Whether you have one employee working on a mobile device while on a business trip or your entire staff telecommuting from home, your cyber security shouldn’t be sacrificed for convenience. By understanding your options and working with a quality IT services provider, you can safely navigate the cyber world and keep your business protected.

Get Our Free Work From Home Checklist!

Cyber Security and Telework

Maintaining your cyber security while allowing your employees to work remotely can be a challenge, but it can be accomplished with minimal risk if you plan ahead and choose the right options for your business. If you don’t expect someone to infiltrate your network, you won’t be protected when someone tries. Always prepare for the worst-case scenario.

Assume that communications on external networks, which are outside the organization’s control, are susceptible to eavesdropping, interception, and modification.”—Guide to Enterprise Telework, Remote Access, and Bring Your Own Device (BYOD) Security (NIST 800-46r2)

How Do You Prepare for Telework?

Start by choosing the best telework option for your business’s needs and budget. There are four basic ways to secure your network while allowing remote access to employees.

  1. VPN Gateway:  Virtual Private Network (VPN) gateways create secure access from the employee device to the VPN gateway and onward to your internal network. In this way, your enterprise-level cyber security measures are extended to the VPN, which acts as a secure tunnel for employees to work through. Some VPN gateways can even extend your business’s firewall rules to the employee computer no matter where they are working through the use of a portable device—a great advantage when travelling on business.VPN gateways offer several great telework features, but while communication is protected through a VPN gateway, the employee’s computer could still be at risk of transmitting infected data if the computer itself is compromised. VPN gateways should only be used in conjunction with properly configured, company-owned hardware to maintain high security standards and minimize the risk to the internal network.
  2. Portals:  In this method, telework employees access company data and applications through a browser-based webpage or virtual desktop. All applications and data are stored on the portal’s server and cannot be downloaded or saved on an employee’s device without permission. This is a good way to keep control over who is accessing your data and how it is used.The danger with portals depends on what permissions the employee has while accessing the portal. If the portal allows an employee to access other areas of the internet while connected, it could provide an unintended avenue for criminals to access your network. It’s safer to restrict employees’ access to other programs while the portal is in use. The more access an employee has, the less secure the connection becomes.
  3. Remote Computer Access Service:  Remote computer access services allow an employee to remotely control a computer physically located at your business via an intermediate server or third-party software. When the two computers are connected, applications and data remain on your office computer, and your network’s cyber security measures are enforced. Your remote device acts as a display for the work performed on your office machine.Due to the direct access, remote desktop connection is considered high risk in cyber security terms. Proper configuration is critical. When set up correctly, communication between the two computers is encrypted for the data’s protection, but it is also encrypted from the organization’s firewalls and threat detection. No matter how good your cyber security measures are, if the employee’s home computer doesn’t have the same protections as the office workstations, malicious data can slip into your network unnoticed during a remote desktop connection.
  4. Direct Application Access:  Direct application access is probably the lowest risk to your cyber security measures out of all the remote access methods because it is best used only with low-risk applications. In this method, employees can remote into a single application, usually located on the perimeter of your network, such as webmail. The employee doesn’t have access to the entire network, allowing them to work on select applications without exposing your internal network to danger.Though there is much less danger posed by direct application access, it generally doesn’t allow for extensive work to be done. There is very little connection to data on your network, and little ability to take data to another application if needed. It is best used when traveling or on a mobile device where complete access to the network is not necessary.

The type of telework you offer may also depend on governmental regulations requiring a certain level of security. Those working in the healthcare sector should consult with their HIPAA Security Officer to make sure any telework is performed according to HIPAA guidelines.

Using company-owned and maintained hardware is the best option when working from home or on the go. Properly-maintained company laptops reduce the risk of unpatched or out-of-date software connecting to your network and often have more robust anti-virus/anti-malware protections than personal computers.

For many small and medium businesses (SMB) though, providing all employees company devices is not financially feasible or practical, especially if the need for remote work is temporary. The best choice for SMBs is either establishing a site-to-site VPN connection or using a secure remote desktop service to connect to their office computer. SMB should be aware of and willing to accept the added cyber security risks of using personal devices before implementing this type of work-from-home policy.

Are you looking for a partner in implementing work from home for your small business or organization? Contact Anderson Technologies today for a free cyber security audit or to start the consultation process!

Mobile Devices

Telework isn’t the only way employees access your network. Mobile devices have become ubiquitous for work on-the-go, but if you fail to protect these devices, your business and clients may suffer. There are basic security recommendations for securing any mobile device, including thorough employee training in cyber security, strong encryption, keeping software up-to-date, and supplementing your security with third-party anti-malware/anti-virus software. While these fundamental methods keep the average device secure, if you’re dealing with sensitive or confidential data on your network you may need additional safeguards.

Given the similarity between the functions of mobile devices, particularly as they become more advanced, and PCs, organizations should strongly consider treating them similar to, or the same as, PCs.”—Guide to Enterprise Telework, Remote Access, and Bring Your Own Device (BYOD) Security (NIST 800-46r2)

NIST’s Guide to Enterprise Telework offers detailed suggestions for protecting any business when it comes to mobile and telework access, including:

  • Turning off networking capabilities (such as Bluetooth) when not necessary for work.
  • Turning on personal firewalls, if available.
  • Requiring multi-factor authorization before accessing your business’s network.
  • Restricting other applications allowed on the device.

Since loss or theft of hardware is far more likely with mobile devices, it is beneficial to use a mobile device management (MDM) solution to maintain control of a mobile device in case of theft or accidental loss. With an MDM, you can locate, lock, or remotely destroy any data on the mobile device. This way your sensitive information won’t fall into the wrong hands, even if the device itself can’t be recovered.

Best Practices for Maintaining Cyber Security

Regardless of the type of remote access you decide on, there are a number of opportunities to shore up your cyber security defenses:

  • Establish a separate, external network dedicated solely to remote access. If something does infect the server, it won’t spread to other parts of your network.
  • Establish a site-to-site VPN connection or use a secure remote service.
  • Use encryption, multi-factor authentication, and session locking to protect your data.
  • Keep your hardware and software patched and updated, including your employees’ remote computers.
  • Enforce strong password policies and have employees use a password manager.
  • Set up session time out on all teleworking connections and automatic screen locks on all computers.
  • Manually configure employee computer firewalls and anti-malware/anti-virus software.
  • Add additional security authentication layers to company data on mobile devices.
  • Set up restrictions to keep unknown or unnecessary browser extensions from being installed. Many have tracking codes the user doesn’t know about, while others are used to spread malware. Stick with trusted and needed browser extensions only.
  • If possible, physically secure computers with locking cables in any untrustworthy place, such as hotels or conference areas.
  • Consider providing company-owned devices for employees to use that can be maintained and secured by in-house IT-staff or your MSP.
  • Consider end-point detection and response or remote access logging to monitor what is happening on your IT systems.

Regardless of how many security protections are used, it is simply impossible to provide 100 percent protection against attacks because of the complexity of computing. A more realistic goal is to use security protections to give attackers as few opportunities as feasible to gain access to a device or to damage the device’s software or information.”—User’s Guide to Telework and Bring Your Own Device (BYOD) Security (NIST 800-114r1)

Privileges, Privileges, Privileges!

No telework operation should ignore the danger of not setting the correct privileges on employees working from home. This step is essential to maintaining a secure, partitioned IT environment.

Implementing accurate and reasonable privileges provides two major benefits to your company.

  1. It keeps employees from accessing data or programs that they shouldn’t have access to.
  2. It keeps cyber criminals from infiltrating your entire network through a single compromised machine or account.

There is no reason a sales rep needs the same access to your company data as the CEO, so why would you give them unrestricted access? Job-specific privileges keep company data safe from insider infiltration while providing each employee with the tools and data necessary to complete their work. The Zero Trust IT model utilizes segmented permissions as the core tenet of its security architecture.

When creating user privileges, keep in mind:

  • Never allow users admin access. The only people who should have admin access to your systems are the IT personnel who maintain them, and even then, they should use an admin account only when performing work requiring it. All users should have a standard, limited user account that cannot alter system settings or privileges.This is especially important when employees work from home on their personal computers. Without the security of an enterprise hardware firewall and business-grade cyber security protections, employees’ personal computers are at a higher risk of being compromised. If their computer is infected and they have admin level access, cyber criminals can use that unrestricted access to infiltrate your entire system, change permissions, and steal or encrypt data for ransom.
  • Need-to-know access only. It takes a bit of technical know-how to set up appropriate user access privileges, but it’s worth the effort. Besides keeping data secure within the company, segmentation of privileges also means that if a computer is infected with malware or an employee account is compromised, the access cyber criminals have to your company and its data remains limited.
  • Use multi-factor authentication. It’s not enough to limit permissions, you need to verify the person signing in is who they say they are. A quick visit to Have I Been Pwned will show how many accounts are already compromised. Multi-factor authentication prevents a compromised account from being used by cyber criminals to access your systems. While security tokens and third-party authenticator apps like Yubikey or Google Authenticate are preferred, any type of multi-factor authentication (email, SMS) is better than no authentication.

Training

Employees need to know more than just how to use the telework programs. Train your employees on cyber security before they go home to work. This is especially crucial if they use their personal computers to telecommute.

Employees should know how to spot and respond to unusual computer activity, which can be an indicator that malware is present. They should also be prepared for phishing and social engineering attempts to gain user account access. Train them on who to contact for IT support and how to verify the person asking for access to their computer is the correct person.

Your employees’ home computers will be the weakest link in your cyber security, so verify they know how to keep their computer safe and how to securely access your systems. Doing so protects them and your business from malicious actors.

 

Telework comes with risks, but with strong security policies and the right cyber security in place, it is worth the investment. A good managed IT services partner can walk you through the process and make sure your business is safe and productive anywhere. For help setting up a telework network, contact the experts at Anderson Technologies by email at info@andersontech.com or by phone at 314.394.3001.

Looking for more guidance on how to keep your work from home systems secure? We’ve got some essential tips on a new blog post, “Working from Home Due to COVID-19: Keep Your Company Data Protected.”

Contact Us

2020 Cyber Security Essentials Checklist

/in , , /by

The start of a new decade brings a sense of changing times and new beginnings. For your cyber security, it marks a good time to review how the state of cyber threats has changed since the time of Y2K or the 2013 Yahoo data breach. With the evolving threats and methods deployed in cyber crime, basic security standards have also progressed to keep your network safe. Do you know the basic security measures you should take to protect your business in 2020?

Download your copy of Anderson Technologies’ Cyber Security Essentials Checklist for 2020!

Verify everything!

We’ve talked before about the Zero Trust model for IT security. Even if you aren’t ready to bring your entire IT architecture up to Zero Trust standards, several of its security measures are now common-sense protections against modern cyber threats.

MFA

Multifactor Authentication (MFA) is quickly becoming the gold standard for preventing unauthorized access to your systems. In an age of Have I Been Pwned’s free credential checking and the all-too-often reuse of passwords, the question is no longer if your usernames and passwords have been stolen, but when and which ones.

MFA is the most basic way to prevent someone with stolen credentials from accessing your systems, and comes in various iterations, from an email or text code to authentication apps and security dongles like or RSA SecurID tokens. It’s a simple measure that ensures the bad actor needs more than a stolen credential to compromise your systems.

Access Controls: Minimum Necessary Use (Need to Know)

The days of free access within an organization are over. Clearly defining user roles and necessary access permissions is essential. There’s no reason for an intern to have the same access to your systems as the office manager or IT staff. Segmenting user access to the minimum necessary for their job performance means that if one employee is compromised, the bad actor won’t be able to reach every part of your business.

Stop Viruses and Malware in Their Tracks!

It’s common knowledge that anti-virus and anti-malware are required in this day and age, but remember that if your software firewall or anti-virus program catches an intrusion, the threat has already made it into your systems.

Know Your Hardware

Businesses need to understand the difference between a hardware firewall and a software firewall. You need to have the best protection against cyber threats, but many business owners don’t realize they are missing the necessary hardware firewall. Go to your IT closet and take a close look. Can you identify your modem, router, and hardware firewall? They are three different pieces of equipment, and if you aren’t sure which is which, talk to your IT staff or MSP to make sure all three are in place and properly configured for maximum protection and minimum interference.

Training and Filters

Firewalls and anti-virus programs won’t be of much use if an employee clicks a link in a phishing email and lets the bad actors in. Blacklisting certain websites and installing email filters like Proofpoint are great first steps for keeping malicious links and emails from getting through, but the biggest way to prevent phishing is training your employees how to recognize it. These tactics are too prevalent not to invest in comprehensive employee training.

Update! Update! Update!

Nothing invites bad actors into your systems like an unpatched computer, such as Windows 7 which stops receiving updates after January 14, 2020. Security updates are not just slight improvements; they often fix known bugs and zero-day threats that bad actors can use to infiltrate or bypass the implemented security safeguards. Without keeping up to date with your security updates, criminals can exploit unpatched vulnerabilities to breach your security and either install malware on or extract valuable and private information from your systems. So, when an update appears, make sure it gets installed right away and upgrade un-supported software as soon as possible.

Be Prepared for a Breach

The era of small businesses being too little to be profitable to hackers is long gone. Small, medium, and large business are all targets for cyber criminals and it’s essential to think not in terms of if you are breached, but when you are breached. How can you mitigate the risk or minimize the damage a breach could do to your business?

Backups

No business in 2020 should be without comprehensive and secure daily backups of their IT systems. Properly configured and tested backups are your insurance against ransomware and natural disasters. If you know you can restore all your data effectively and quickly from backups, there’s no need to pay a ransom for the hope you can get all your data back.

But don’t just grab the first out-of-the-box backup solution you find. Make sure your backup provider doesn’t keep only one iteration, meaning if your backup gets infected, you have no other options. Configure the solution correctly to back up all the information you need.

Encryption

If you are in a HIPAA-regulated industry, encryption is not optional. It’s the best way to prevent unauthorized breaches when mobile devices and laptops are lost or stolen. A properly encrypted laptop lost on a business trip isn’t a breach even if ePHI is on it, since the encryption prevents anyone who finds the machine from accessing the data.

Encryption is a good idea for any business that uses laptop and mobile devices for work purposes. The last thing you need is someone finding a lost phone or laptop and suddenly having access to sensitive business information or programs.

The Daily Routine

Sometimes it’s the little things that end up being the source of a cyber intrusion. These security measures may seem like common sense, but that doesn’t mean you shouldn’t have a clear policy for them. Failure to follow basic procedures everyday can open the door for cyber criminals.

Passwords and Password Managers

Reusing or only making minor alterations to passwords across applications is a major problem. Too many passwords are hard to keep straight, but people struggle even more to remember secure randomized passwords. This can lead to the worst-case scenario of employees writing down passwords that anyone could find. Having a long phrase or sentence the employee can remember is best practice, but if you have a lot of programs that require passwords, you don’t want employees using only one across the board.

Password managers like Myki or LastPass are a great solution to this problem. Employees can create the long, randomized alpha-numeric passwords, which are considered most secure, without the need to write them down or repeat the same password over and over. These services also provide apps for mobile phones so employees don’t need to be at the desk to access their passwords.

Screenlocks

Not every company institutes a screenlock timeout procedure for their business, but it’s a simple and effective security measure, especially if parts of your business are open to the public (HIPAA requires it). Even if you don’t have any public areas, screenlock policies can prevent insider threats from gaining access to an employee’s computer or information simply because they forgot to lock the computer before they left their desk. Make sure the screenlock requires a password and isn’t delayed to the point it’s useless to protect your information.

If you don’t have these basic policies and procedures in place, it may be time to re-evaluate the security measures you are using. Were they created for a different time and threat landscape? Can they continue to protect you against modern cyber crime? If not, it’s time to step up your basic security measures and stop criminals before they sneak into your business.

 

If you need help determining if your current security measures are adequate to protect your business, contact us today for a free consultation!

Contact Us

Robots? Working with Me? It’s More Likely Than You Think

/in , , /by

Remember Roomba? Maybe you have one, zipping around your home, getting caught under furniture and amidst wires. That seemingly simple machine, armed with programming and dust-sucking, became seamlessly integrated in the lives of millions. But even at the height of the Roomba revolution, there wasn’t a lot of talk about smart vacuums stealing our jobs or taking over our homes.

Everyone is fascinated with artificial intelligence right now. It is hard to deny the buzzword power of the term. Tinged with fear or awe, AI often feels like the answer to everything—or our impending downfall.

The reality is far from either. As it stands now, AI like the programming in Roomba, or Roomba’s grown-up relatives found at Walmart and Giant Foods, is a powerful tool. Limited to specific tasks or deep learning, AI may just be the best coworker you’ve ever had.

Is AI Coming for Our Jobs?

Here’s the truth: For employees whose primary job function may easily be replaced by single-task AI, the job hunt may be on. Computer-screen ordering interfaces and shipment-sorters may in fact reduce hours for the humans who previously held those positions and others like them. Fortunately, many businesses are utilizing AI as an opportunity to free their employees for more complex and customer-facing tasks.

For every job that might be eliminated or reduced, there are many more that just don’t work without human hands and minds.

And because thankless tasks are becoming automated, human workers can now spend their time and energy immersed in the more creative aspects of their jobs.

AI and IT: Working Together for You

It may not surprise you to learn that IT is currently the field most welcoming to our AI coworkers. For IT managed services firms that balance the cutting edge with enhanced security, a cautious approach still finds that within specific, defined roles, AI provides valuable services.

Tools like firewalls, antivirus, and remote monitoring, among others, are IT staples that frequently employ AI. There is a firewall AI, for example, that can be programmed to track traffic patterns (volume, uploads and downloads, behavior on websites), and if something appears contrary to what has been deemed “normal” patterns, the associated software can automatically isolate a user’s workstation and alert a human team member that there has been a potential compromise.

Deployed on a larger scale, this type of monitoring and pattern-detecting AI frees IT professionals from manually watching the same traffic. This means billing hours go to solving problems and providing meaningful solutions instead of wondering if a large file download is suspicious.

AI also has the potential to detect patterns and flag issues that human experts can’t identify themselves. Given data sets and known problems, machine-learning AI may move the IT industry into truly predictive safeguards. If used widely, this could mean no more frantic break-fix calls after hours because AI team members have long since identified the developing issue, and human counterparts have already fixed it.

AI as part of a managed services offering doesn’t have to feel inhuman. As a tool utilized by humans in order to provide an enhanced, fuller package of IT services, AI improves experiences.

 

Do you have questions about AI and what it could do to improve your business’s IT systems and cyber security? Call Anderson Technologies today at 314.394.3001 or send us an email at info@andersontech.com.

Contact Us