Internet of Things (IoT) devices provide a service to the user, but also provide a glut of information for developers. Developers state that the information collected is a tool for honing services and enhancing user experience, but this information is also worth a lot of money to them for ad targeting and consumer behavior patterns.
Here’s what might make it worth the download.
Since Internet Explorer hit peak saturation in 2003 with 95% of market share, Microsoft has been in a bit of a browser rut. Mozilla Firefox usage hit its peak in 2009, and the other major competitor, Google Chrome, is the current favorite with 69% of market share as of December 2019. But Microsoft’s new Edge browser could stand to upset that balance.
Built on open-source Chromium (originally developed by Google for their Chrome browser, and also a base for Opera), the new Edge, released January 15, 2020, offers almost all of the benefits of Chrome, as well as a few additional features.
Initial user feedback is in, and the new Edge could be a game changer in the browser wars.
What Makes Edge Chromium Stand Out?
Speedy and Resource Efficient: Though Edge is built on the same open source code as Google Chrome, its speed is significantly faster, even with multiple active tabs. It uses less RAM than the notoriously resource-hungry Chrome. For users maximizing efficiency and speed, the new Edge could make a difference in workflow. Browsing the web shouldn’t slow down other functions, and Edge makes that absolutely clear. Even the initial setup (with a profile imported from Microsoft or another browser) is almost instantaneous.
Built-In Security: Microsoft has developed a new feature called SmartScreen to aid in protecting users from reported phishing and malware websites. The new Edge comes with SmartScreen enabled, which displays a warning when users try to navigate to dangerous sites or download suspicious files.
Privacy as a Rule: Have you ever visited a website and then been bombarded with ads for their services on every other site you visit in that session? Trackers make these remarketed ads possible, and the new Microsoft Edge is designed to block them. Trackers capture information about users and how they interact with sites. They then relay that information to the site, connect it to social media accounts, and loop in ad servers. Users can select their level of protection, but all levels also block harmful trackers, like those involved in cryptojacking. While Firefox already offers this service, Chrome does not.
With such a focus on privacy, it’s no surprise that Edge meets the new industry standard with their InPrivate windows offering the same functionality as Incognito in Chrome or Private Window in Firefox. Edge also comes with pop-ups, redirects, and ads all blocked as the default.
Compatibility: Edge offers integrations with Azure Active Directory and Office 365 by IT administrators. Granular control over updates and group policy objects customize the browser for business needs. This feature, if fully utilized, could enable users to search internal company servers through their Edge browser instead of Windows Explorer.
Extensions: In addition to the growing library of Edge-specific extensions in the Microsoft store, Edge also works smoothly with most, if not all, existing Google Chrome extensions. Users focused on privacy and security can add another layer of protection to those already built into Edge.
Applications: When run on Windows 10, the new Edge provides the option for users to run websites as apps. Once set up, these apps are accessible through the taskbar or as desktop icons, and they cut down on running multiple tabs within the browser. This feature is especially useful with sites that a user might want to keep running all day, like Twitter or a time tracking application.
For users tied heavily to Windows OS and other Microsoft services, Edge adds functionality without adding load time and RAM. Microsoft does warn that Chrome users who integrate with Gmail may experience some incompatibility in the new Edge landscape; however, users overwhelmingly report that this hasn’t been an issue. Ultimately, the use of one browser over another often comes down to preference, but there are no major flags that should prevent users from including Microsoft Edge among their options.
Need help choosing a browser to roll out for your employees or finding which privacy features will best enhance your work? Contact the technology experts at Anderson Technologies at 314-394-3001 or email@example.com with all of your questions!
Over the past weeks, we’ve worked with many of you to add or increase your work-from-home capabilities as a result of the COVID-19 pandemic. This move not only helps keep our coworkers safe but also our families and the greater community. As our team burns the midnight oil to do our part, our thoughts and prayers go out to everyone affected by this international crisis.
To better assist your work-from-home goals, please be mindful of the dangers of and best practices for remote work.
While social distancing is critical, we must also recognize the risks a remote workforce poses and be vigilant to keep our systems secure. Remote work immediately increases the vulnerability of your company’s cyber security. Suddenly, we’re no longer at one office location with multi-layered security measures in place. Our surface of attack is exponentially spread into homes that aren’t equipped with enterprise-grade firewalls and onto personal computers that may already be compromised (studies estimate that 1/3 to 1/2 of home machines are).
Taking advantage of the interest and coverage of COVID-19, cyber criminals are using new tactics in their phishing and malware attacks. Fake coronavirus websites, often with legitimate information from trusted sources, are being created to spread malware. New phishing emails and clickbait links using similar messages are also spreading. Do not trust COVID-19-themed emails, even if they appear to come from governmental sources. If you receive one and think the information may be worth clicking, go instead to the organization’s website. Any official, legitimate updates will be included there.
Avoid falling victim to one of these scams. Follow basic phishing prevention as we’ve explained in our learn page and phishing quiz, and always go to official government sites for coronavirus information.
As with all phishing attempts, never open attachments or links in unsolicited emails. If you know the person who sent it, confirm with them that the email is legitimate first, preferably by means other than email as responses can be faked. When searching for coronavirus information, hover over the link before you click and make sure the URL matches the source it appears to be in search results.
Working from home presents unique challenges to the privacy of your work, but your company’s confidentiality policies and contracts remain in effect no matter where you are. This is especially important if you are subject to HIPAA or other governmental regulations. Keep up to date with all regulatory changes made to accommodate the novel coronavirus situation.
There are measures all remote workers should follow to protect the confidentiality and security of their work space while in a home environment.
- Always lock your screens when you step away from the computer to keep curious children (or pets) from wreaking unintentional havoc.
- Work in your own room or create a space away from other members of your household. The space should be isolated enough to avoid onlookers and to conduct work conversations without being easily overheard.
- When using a company-owned device, keep it locked or turned off whenever you are not with it, and never allow others in your home to use it for any reason.
- If using a personal device for work, create a separate, password-protected user profile to access company data from. Do not allow others to use this profile.
- Keep any work papers or confidential information in a safe, preferably locked, place.
Home Network Performance
Home networks, including your internet service, are typically not as reliable as your office IT systems. With the additional load of millions of users across the nation trying to do the same things you are, you will likely face performance issues when working from home. Since home internet often isn’t as fast as your work connection, video conferencing may flake out and remote connections to your office network or devices may lag. The more people taxing your internet with activities such as online learning, streaming, gaming, or video chatting, the more likely you are to have performance issues.
Due to the increased need for high-speed internet to accommodate the sudden influx of both home-based work and schooling, some internet service providers (ISPs) are offering additional speeds for those with no or limited internet access at no extra cost. Others are removing data caps and related fees for those on fixed data plans. If you think you might qualify, contact your ISP for more information.
Home Network Security
Performance isn’t the only potential issue with a home network. Security is a big concern when connecting to the office network from home. Besides the obvious security measures such as having patched, up-to-date computers with strong anti-virus/anti-malware protections, here are a few more tips to securing your home network.
- Update router firmware if needed.
- Make sure Wi-Fi has WPA-2 or higher encryption with a strong password (not the default).
- Update firmware in all IoT (Internet of Things—smart thermostats, cameras, etc.). IoT is often more vulnerable to attack and has been used to infect home networks.
- Never use default passwords on any internet-connected device.
- Remove or deactivate all browser extensions not necessary for work. They might seem helpful, but many have tracking embedded in them and some are vehicles for malicious code.
- Use multi-factor authentication (MFA) whenever available.
Training & Communication
While knowing how to spot phishing and social engineering attacks is essential to network safety, that’s not the only kind of training those who work from home should receive.
Review relevant security and office policies and ensure that you know who to contact if an issue arises. What problems can be resolved by office staff or a coworker, and what problems need to go to IT experts? Work efficiency will suffer if you continually contact the wrong people to resolve your problem. Consider partnering with another team member to check in about potential suspicious activity or emails before reaching out to an IT professional. You may not be alone in experiencing an issue or threat.
We’re already taxing our systems and IT personnel; don’t give criminals the edge. Be even more vigilant at home. It’s easy to become relaxed in your own space, but those with malicious intent are also working overtime to capitalize on our situation.
With the coronavirus in the news, more businesses than ever are considering whether telework is a viable option for their company and employees. But with new cyber threats and data breaches constantly reported, business owners have to ask themselves,
How do I maintain my cyber security when my employees work remotely?
Whether you have one employee working on a mobile device while on a business trip or your entire staff telecommuting from home, your cyber security shouldn’t be sacrificed for convenience. By understanding your options and working with a quality IT services provider, you can safely navigate the cyber world and keep your business protected.
Cyber Security and Telework
Maintaining your cyber security while allowing your employees to work remotely can be a challenge, but it can be accomplished with minimal risk if you plan ahead and choose the right options for your business. If you don’t expect someone to infiltrate your network, you won’t be protected when someone tries. Always prepare for the worst-case scenario.
Assume that communications on external networks, which are outside the organization’s control, are susceptible to eavesdropping, interception, and modification.”—Guide to Enterprise Telework, Remote Access, and Bring Your Own Device (BYOD) Security (NIST 800-46r2)
How Do You Prepare for Telework?
Start by choosing the best telework option for your business’s needs and budget. There are four basic ways to secure your network while allowing remote access to employees.
- VPN Gateway: Virtual Private Network (VPN) gateways create secure access from the employee device to the VPN gateway and onward to your internal network. In this way, your enterprise-level cyber security measures are extended to the VPN, which acts as a secure tunnel for employees to work through. Some VPN gateways can even extend your business’s firewall rules to the employee computer no matter where they are working through the use of a portable device—a great advantage when travelling on business.VPN gateways offer several great telework features, but while communication is protected through a VPN gateway, the employee’s computer could still be at risk of transmitting infected data if the computer itself is compromised. VPN gateways should only be used in conjunction with properly configured, company-owned hardware to maintain high security standards and minimize the risk to the internal network.
- Portals: In this method, telework employees access company data and applications through a browser-based webpage or virtual desktop. All applications and data are stored on the portal’s server and cannot be downloaded or saved on an employee’s device without permission. This is a good way to keep control over who is accessing your data and how it is used.The danger with portals depends on what permissions the employee has while accessing the portal. If the portal allows an employee to access other areas of the internet while connected, it could provide an unintended avenue for criminals to access your network. It’s safer to restrict employees’ access to other programs while the portal is in use. The more access an employee has, the less secure the connection becomes.
- Remote Computer Access Service: Remote computer access services allow an employee to remotely control a computer physically located at your business via an intermediate server or third-party software. When the two computers are connected, applications and data remain on your office computer, and your network’s cyber security measures are enforced. Your remote device acts as a display for the work performed on your office machine.Due to the direct access, remote desktop connection is considered high risk in cyber security terms. Proper configuration is critical. When set up correctly, communication between the two computers is encrypted for the data’s protection, but it is also encrypted from the organization’s firewalls and threat detection. No matter how good your cyber security measures are, if the employee’s home computer doesn’t have the same protections as the office workstations, malicious data can slip into your network unnoticed during a remote desktop connection.
- Direct Application Access: Direct application access is probably the lowest risk to your cyber security measures out of all the remote access methods because it is best used only with low-risk applications. In this method, employees can remote into a single application, usually located on the perimeter of your network, such as webmail. The employee doesn’t have access to the entire network, allowing them to work on select applications without exposing your internal network to danger.Though there is much less danger posed by direct application access, it generally doesn’t allow for extensive work to be done. There is very little connection to data on your network, and little ability to take data to another application if needed. It is best used when traveling or on a mobile device where complete access to the network is not necessary.
The type of telework you offer may also depend on governmental regulations requiring a certain level of security. Those working in the healthcare sector should consult with their HIPAA Security Officer to make sure any telework is performed according to HIPAA guidelines.
Using company-owned and maintained hardware is the best option when working from home or on the go. Properly-maintained company laptops reduce the risk of unpatched or out-of-date software connecting to your network and often have more robust anti-virus/anti-malware protections than personal computers.
For many small and medium businesses (SMB) though, providing all employees company devices is not financially feasible or practical, especially if the need for remote work is temporary. The best choice for SMBs is either establishing a site-to-site VPN connection or using a secure remote desktop service to connect to their office computer. SMB should be aware of and willing to accept the added cyber security risks of using personal devices before implementing this type of work-from-home policy.
Are you looking for a partner in implementing work from home for your small business or organization? Contact Anderson Technologies today for a free cyber security audit or to start the consultation process!
Telework isn’t the only way employees access your network. Mobile devices have become ubiquitous for work on-the-go, but if you fail to protect these devices, your business and clients may suffer. There are basic security recommendations for securing any mobile device, including thorough employee training in cyber security, strong encryption, keeping software up-to-date, and supplementing your security with third-party anti-malware/anti-virus software. While these fundamental methods keep the average device secure, if you’re dealing with sensitive or confidential data on your network you may need additional safeguards.
Given the similarity between the functions of mobile devices, particularly as they become more advanced, and PCs, organizations should strongly consider treating them similar to, or the same as, PCs.”—Guide to Enterprise Telework, Remote Access, and Bring Your Own Device (BYOD) Security (NIST 800-46r2)
NIST’s Guide to Enterprise Telework offers detailed suggestions for protecting any business when it comes to mobile and telework access, including:
- Turning off networking capabilities (such as Bluetooth) when not necessary for work.
- Turning on personal firewalls, if available.
- Requiring multi-factor authorization before accessing your business’s network.
- Restricting other applications allowed on the device.
Since loss or theft of hardware is far more likely with mobile devices, it is beneficial to use a mobile device management (MDM) solution to maintain control of a mobile device in case of theft or accidental loss. With an MDM, you can locate, lock, or remotely destroy any data on the mobile device. This way your sensitive information won’t fall into the wrong hands, even if the device itself can’t be recovered.
Best Practices for Maintaining Cyber Security
Regardless of the type of remote access you decide on, there are a number of opportunities to shore up your cyber security defenses:
- Establish a separate, external network dedicated solely to remote access. If something does infect the server, it won’t spread to other parts of your network.
- Establish a site-to-site VPN connection or use a secure remote service.
- Use encryption, multi-factor authentication, and session locking to protect your data.
- Keep your hardware and software patched and updated, including your employees’ remote computers.
- Enforce strong password policies and have employees use a password manager.
- Set up session time out on all teleworking connections and automatic screen locks on all computers.
- Manually configure employee computer firewalls and anti-malware/anti-virus software.
- Add additional security authentication layers to company data on mobile devices.
- Set up restrictions to keep unknown or unnecessary browser extensions from being installed. Many have tracking codes the user doesn’t know about, while others are used to spread malware. Stick with trusted and needed browser extensions only.
- If possible, physically secure computers with locking cables in any untrustworthy place, such as hotels or conference areas.
- Consider providing company-owned devices for employees to use that can be maintained and secured by in-house IT-staff or your MSP.
- Consider end-point detection and response or remote access logging to monitor what is happening on your IT systems.
Regardless of how many security protections are used, it is simply impossible to provide 100 percent protection against attacks because of the complexity of computing. A more realistic goal is to use security protections to give attackers as few opportunities as feasible to gain access to a device or to damage the device’s software or information.”—User’s Guide to Telework and Bring Your Own Device (BYOD) Security (NIST 800-114r1)
Privileges, Privileges, Privileges!
No telework operation should ignore the danger of not setting the correct privileges on employees working from home. This step is essential to maintaining a secure, partitioned IT environment.
Implementing accurate and reasonable privileges provides two major benefits to your company.
- It keeps employees from accessing data or programs that they shouldn’t have access to.
- It keeps cyber criminals from infiltrating your entire network through a single compromised machine or account.
There is no reason a sales rep needs the same access to your company data as the CEO, so why would you give them unrestricted access? Job-specific privileges keep company data safe from insider infiltration while providing each employee with the tools and data necessary to complete their work. The Zero Trust IT model utilizes segmented permissions as the core tenet of its security architecture.
When creating user privileges, keep in mind:
- Never allow users admin access. The only people who should have admin access to your systems are the IT personnel who maintain them, and even then, they should use an admin account only when performing work requiring it. All users should have a standard, limited user account that cannot alter system settings or privileges.This is especially important when employees work from home on their personal computers. Without the security of an enterprise hardware firewall and business-grade cyber security protections, employees’ personal computers are at a higher risk of being compromised. If their computer is infected and they have admin level access, cyber criminals can use that unrestricted access to infiltrate your entire system, change permissions, and steal or encrypt data for ransom.
- Need-to-know access only. It takes a bit of technical know-how to set up appropriate user access privileges, but it’s worth the effort. Besides keeping data secure within the company, segmentation of privileges also means that if a computer is infected with malware or an employee account is compromised, the access cyber criminals have to your company and its data remains limited.
- Use multi-factor authentication. It’s not enough to limit permissions, you need to verify the person signing in is who they say they are. A quick visit to Have I Been Pwned will show how many accounts are already compromised. Multi-factor authentication prevents a compromised account from being used by cyber criminals to access your systems. While security tokens and third-party authenticator apps like Yubikey or Google Authenticate are preferred, any type of multi-factor authentication (email, SMS) is better than no authentication.
Employees need to know more than just how to use the telework programs. Train your employees on cyber security before they go home to work. This is especially crucial if they use their personal computers to telecommute.
Employees should know how to spot and respond to unusual computer activity, which can be an indicator that malware is present. They should also be prepared for phishing and social engineering attempts to gain user account access. Train them on who to contact for IT support and how to verify the person asking for access to their computer is the correct person.
Your employees’ home computers will be the weakest link in your cyber security, so verify they know how to keep their computer safe and how to securely access your systems. Doing so protects them and your business from malicious actors.
Telework comes with risks, but with strong security policies and the right cyber security in place, it is worth the investment. A good managed IT services partner can walk you through the process and make sure your business is safe and productive anywhere. For help setting up a telework network, contact the experts at Anderson Technologies by email at firstname.lastname@example.org or by phone at 314.394.3001.
Looking for more guidance on how to keep your work from home systems secure? We’ve got some essential tips on a new blog post, “Working from Home Due to COVID-19: Keep Your Company Data Protected.”
When you imagine cyber criminals planning ways to infect hundreds of thousands of computers, you probably don’t picture sophisticated marketing operations and software licensing, but you’d be surprised. The black market on the Dark Web is much like any other online store where you purchase goods, only its products are more nefarious. Cyber criminals copy the techniques used by corporations to increase profits by authoring and distributing ransomware-as-a-service (RaaS). RaaS enables less tech-savvy cyber criminals to quickly set up shop, and often includes “customer support,” easy-to-use dashboards, and guides on how to most effectively distribute ransomware onto victims’ machines.
The RaaS Business Model
This is not a recent development. RaaS has been used since 2016, and has proved to be a lasting business model for cyber criminal organizations. These organizations utilize modern marketing and corporate strategies to get their “customers” to choose their ransomware services over other offerings on the Dark Web.
How Does RaaS Work?
In a traditional software business model, a user pays a one-time fee to buy a license for a specific version of the software outright. There are no other costs throughout the life of the software, but if the user wants to upgrade to a newer version, the software must be purchased again. But being required to buy each new version that’s released can be financially impossible for some consumers. That’s where software-as-a-service (SaaS) comes in.
With SaaS, the user can “rent” the software for a monthly fee, giving the user the most current version of the software at a greatly reduced upfront cost. But unlike traditional software purchasing, if the user ends their subscription, they lose access to the software.
On the Dark Web, RaaS utilizes both these business models. Instead of a bad actor authoring and distributing their own ransomware onto victims’ computers, cyber criminals pay for someone else’s ransomware strain. This allows even those who don’t have the skills necessary to create their own ransomware strain to enter the ransomware market.
This arrangement is beneficial to the author of the ransomware, as well. In addition to the subscription price, the author often gets a cut of each ransom paid. The more subscribers who buy and distribute their ransomware, the more money the author makes without needing to infect a single computer themselves.
This is where RaaS mimics legitimate businesses. Some ransomware authors sell licenses using the traditional software business model. When a cyber criminal buys the ransomware license, they are free to use it as much as they want. Other ransomware authors have adopted the modern subscription model of SaaS. As a subscription, buyers have to continue to pay monthly or by number of infected computers. In return, the ransomware they “rent” receives updates and continued support from the author. To entice cyber criminals to choose their strain, some authors will offer discounts or adjust their cut of the ransom. Some even provide tutorials and customer support to buyers to help with distribution.
Ransomware Finds New Ways to Make Victims Pay Up
The authors of ransomware strains aren’t the only ones offering customer support. For several years now, criminal organizations spreading ransomware have provided customer support representatives to facilitate payments, such as helping victims buy bitcoin or walking them through the payment process. Sometimes these customer support reps even lower the ransom for victims unable to pay the requested amount.
While offering customer service may seem absurd for a criminal enterprise, the newest extortion method fits right in. The threat of ransomware includes not only the loss of data but also the weaponization of that data by bad actors. Until now, the risks associated with not paying the ransom have been limited to criminals farming the encrypted data for credentials or losing the data altogether. Now a new type of extortion is threatening to come to the forefront.
To thwart the growing number of businesses taking cyber security seriously and ensuring they have reliable backups in case of a ransomware attack, cyber criminals now threaten to release the unencrypted data they steal if the businesses choose not to pay the ransom. Those behind the Maze ransomware strain have a public website listing the names of businesses they’ve infected, as well as details about the attack and documents stolen from infected systems. The Allied Universal data breach and release was Maze’s first victim to be publicly exposed in this way.
What Can You Do?
When it’s not only loss of data but release of data that is the danger, the usual mantra of back up your data doesn’t cut it anymore. With this evolving threat landscape, prevention is the key to security.
In addition to basic security measures that all businesses should implement, intrusion detection is essential to modern cyber security. Bad actors are often in compromised systems for days or weeks before the actual ransomware attack happens. They can search files, disable security measures, corrupt backup systems, and more to make the business as vulnerable as possible. Identifying the problem when the intrusion first happens could save not only your money but your data and reputation as well.
Other precautions include encrypting all sensitive data so hackers can’t access it, having strong user access controls and passwords, and restricting administrator access to necessary IT personnel. This limits the amount of data criminals can access if they were to penetrate your systems.
Most of all, train your employees how to identify phishing methods and signs their computer may be compromised. Employees are the front line of defense against infection. Make sure everyone is trained at least annually to stay up to date with new ransomware strategies so that they and you don’t become unwilling customers of the ransomware business model.
If you need help shoring up your defenses against ransomware or need employee training, contact Anderson Technologies today!
No one likes to think they’ll suffer a disaster, a ransomware attack, or a data breach, but hope isn’t enough to satisfy HIPAA. The question is no longer if something will happen, but when. HIPAA expects you to plan, prepare, test, and be ready for anything that could disrupt the confidentiality, integrity, or availability of your ePHI and affect patient care.
In this installment of our HIPAA series, we’re going to look at the different kinds of disaster planning HIPAA requires and the importance of knowing how to implement them.
Security standard §164.308(a)(7): Contingency Plan is an umbrella term for a number of more specific plans that are meant to ensure the availability, integrity, and confidentiality of ePHI in the event of a disaster or other major security incident. While the Security Rule doesn’t explicitly require you to include other parts of your business, non-electronic PHI is still covered by the Privacy Rule, and most cyber security insurance plans require some degree of business contingency planning.
First Things First
Before you can start making plans to keep your business going during and after a disaster or cyber security incident, you first need to know what parts of your business, hardware, software, and data are critical to operations and security. HIPAA requires this in implementation specification §164.308(a)(7)(ii)(E): Applications and Data Criticality Analysis. But don’t let its position after the contingency plans fool you. This needs to be done first and foremost.
Even though §164.308(a)(7) only references assessing “specific applications and data,” if you are implementing business-wide contingency plans, you’ll want to go through all your daily operations and vital processes to determine what you can’t do a day’s worth of business without and what you could leave for when your world is no longer upside down. Without this information, you won’t be able to create the plans necessary to fulfill the following implementation specifications.
The Big Four
One thing to remember about the plans listed below is that they don’t have to be completely isolated from each other. You might find combining pieces together (such as lists of vendors, hardware, software, etc.) is more practical than listing them in each plan separately. What’s important is that employees are trained, know what they are responsible for, and where to access this information in an emergency situation. There’s no use making a plan if no one uses it.
Following standardized responses should minimize errors, particularly those that might be caused by stressful incident handling situations.” – NIST SP 800-61r2 Computer Security Incident Handling
- 164.308(a)(7)(ii)(A): Data Backup Plan
What does it do? Your data backup plan is one of your most vital recovery plans. It provides you with assurances of data integrity and availability in emergency situations. For healthcare facilities directly caring for patients, data loss or network failure could mean the inability to treat patients. All ePHI must be backed up, preferably in a place that won’t suffer the same disaster as your facility, such as in cloud storage or in a separate secure location.
Your data backup plan should include who is responsible for maintaining the backups, verifying all data is being backed up, testing that backups can be retrieved, and who to contact when backups are needed.
When does it go into effect? You should make this a priority. Your data backup plan needs to be up and running before an emergency strikes.
A data backup plan is also one of the best defenses against ransomware. Read more about that here!
- 164.308(a)(7)(ii)(B) Disaster Recovery Plan
What does it do? The complexity of a disaster recovery plan depends on how much of your business you choose to include. §164.308(a)(7)(ii)(B) specifies you must “establish (and implement as needed) procedures to restore any loss of data.” More comprehensive business-wide plans would include other data vital to the company that isn’t specifically ePHI.
A disaster recovery plan should include the hardware, software, backups, environment, vendors, business associates, etc., necessary to recover data lost in a disaster or cyber security incident. It also covers the people responsible for coordinating and performing all disaster recovery efforts. Employees assigned in this plan should be trained and ready to fulfill their duties in the event of a disaster.
When does it go into effect? A disaster recovery plan helps you recover lost data and infrastructure after a disaster or cyber security incident has occurred.
- 164.308(a)(7)(ii)(C): Emergency Mode Operation Plan
What does it do? This plan could also be called a continuity of operations plan. Its intent is to keep your business or facility operating at a level necessary to ensure patient safety and ePHI security the moment a disaster hits. Downtime can not only cost a lot of money, but can be detrimental to facilities actively caring for patients.
By having the procedures in place for any number of emergency situations, employees can react immediately, know who to contact, how to bring critical business processes back online, and maintain the necessary security and privacy standards required by HIPAA. A good emergency mode operations plan should have contact names, numbers, first response expectations, and anything else an employee would need to recover critical operations in the first 12-36 hours.
More than the other plans, having done a thorough and accurate criticality analysis is vital to a successful emergency mode operation plan. You need to be aware of what you need to restore and in what order it needs to be restored to effectively continue with daily operations as best you can. Failure to do a proper criticality analysis can waste time and resources by focusing recovery efforts on functions that aren’t immediately necessary.
When does it go into effect? An emergency mode operations plan should be implemented during a disaster to keep the business going, and, in the case of healthcare facilities, to keep patients safe and cared for appropriately.
- Business Continuity
What does it do? You’ll notice that there is no implementation specification that goes along with this plan. The Security Rule doesn’t specifically require a business continuity plan, but it can be a useful addition to a set of contingency plans.
While the other plans all focus on what happens during or immediately after an emergency situation to keep your business running, a business continuity plan focuses on getting you back to where you were before the disaster. What are the lower priority vendors or clients that you might have missed contacting already? Do you know all the hardware and software that needs to be replaced or recovered? Think of it as the long-haul plan that doesn’t let you forget about the little things. Disasters are stressful, and a good business continuity plan can keep you on track through the mental fatigue that can set in after a disaster.
When does it go into effect? Business continuity plans help you bring your entire business back to normal day-to-day operations after a disaster occurs and the crisis period is over.
There are many different kinds of cyber security incidents that could affect your business. While all incidents are major problems when they occur, you may not require the full emergency responses planned out above. In these cases, individual plans geared directly to cyber problems can be useful tools.
Depending on your risk, you may want more than the two plans below, but if you’re covered by HIPAA, these are important ones to include with your disaster management plans. The better prepared you are for an incident, the safer you can make your data and the faster you can recover from an attack.
Companies that identified a breach in less than 100 days saved more than $1 million as compared to those that took more than 100 days. Similarly, companies that contained a breach in less than 30 days saved over $1 million as compared to those that took more than 30 days to resolve.” — 2018 Cost of a Data Breach Study, Ponemon Institute (emphasis added)
- Data Breach Response Plan
While a breach is any impermissible use or disclosure of PHI, a data breach response plan focuses on ePHI specifically. It lays out how to secure your systems after a breach, who to contact if you need more support, what to do once the threat is identified and fixed, and who must be notified of a breach of ePHI or other personally identifiable information (PII). (Remember, properly encrypted data isn’t a breach.) The FTC has a good outline for what to incorporate into your data response plan, and the HHS thoroughly explains all the requirements of a breach under HIPAA.
- Ransomware Attack Response Plan
The criticality of care facilities combined with the black market price of ePHI makes the healthcare industry a prime target for ransomware and other cyber attacks. And like most cyber attacks, ransomware deals two-fold damage, from the recovery itself to the subsequent breach notifications that must follow. (Remember, unless you can prove that ePHI has not been accessed due to safeguards in place, it’s a breach. For more on Ransomware and HIPAA, see the HHS’s Fact Sheet.)
A ransomware attack response plan sets up the procedures your employees should take in the event of a ransomware attack, such as steps to quarantine an infected machine, who to contact, and what not to do. It should also have procedures for technicians and management in how to secure the network, purge the system, recover lost data (per the data backup plan), and notify required parties. Also include the contact information of the law enforcement department to report the attack to, whether that is local, state, or federal. (For more information see the Department of Justice’s guide, “How to Protect Your Networks from Ransomware.”)
Test! Test! Test!
Most important of all, you need to test your contingency plans routinely and make sure all your employees are trained and know where to find the plan in emergency conditions. A plan no one knows about or can find is a plan that won’t be implemented. Besides, HIPAA requires it.
So make contingency plans part of your annual and new hire training. Make sure all your employees can find the plans and know what they are responsible for. Make sure everyone knows who’s in charge during emergency situations so that plans can be implemented fast and efficiently. It can save you time, money, and headaches when the worst happens.
If you need help implementing a cyber security incident response plan or training your employees in the best practices, contact Anderson Technologies at 314.394.3001 or by email by email@example.com.
Here in St. Louis, you’re likely to hear people saying they’re heading to Bread Co. for lunch, even if Panera is the sign above the restaurant. That’s because to St. Louisans, Panera will always be Saint Louis Bread Company. But recently, residents were relieved the St. Louis name wasn’t attached to Panera’s recent cyber security blunder.
On April 2, Brian Krebs of security news website KrebsOnSecurity broke the story that customer data from Panera’s loyalty program—including names, email and physical addresses, birthdays, and the last four digits of credit card numbers—was available through an insecure API on their website. Worse yet, Panera had been notified about the defect eight months prior in August 2017 and did nothing to resolve the problem.
Cyber security researcher Dylan Houlihan found the flaw in Panera’s API and, after confirming the extent of the problem, contacted Panera’s cyber security team. He notes that reaching out to Panera was difficult as there was no information available for who to contact if security holes were found. Panera’s response was less than stellar. In Houlihan’s detailed account of their communication, Panera’s director of information security, Mike Gustavison, was suspicious of him, and after receiving proof of the problem, took several days to reply that they would work to resolve it.
Except they didn’t.
Every month, Houlihan checked to see if the flaw was fixed, only to see that customer data was still unprotected. Finally, in April 2018, he contacted Krebs to make the matter public and force Panera to respond. They did. Within two hours Panera claimed they patched the problem.
Except they hadn’t.
Krebs continued to monitor the website and found that, while the information was no longer accessible to the public, if a member logged into their free Panera account, they could still exploit the flaw. He also discovered that it extended to other parts of Panera’s business, such as the catering website.
After the negative media coverage, Panera took down its website and patched the problem properly. In a tweet following the incident, Krebs estimates that up to 37 million accounts could have been made public because of this flaw. While there is no evidence yet that malicious agents accessed the data, this was still a terrible security breach.
How Often Does This Really Happen?
It’s easy to lose the details in light of Panera’s poor response and subsequent inaction, but accidental data breaches from misconfigured hardware or software happen far more often than you might imagine.
- March 6, 2017: River City Media left more than a billion email accounts exposed to the public, some with personal information. Also exposed were detailed records of their own illegal spamming activities. The problem—no password protection on the backups.
- June 19, 2017: Deep Root Analytics left millions of Americans’ addresses, birthdays, phone numbers, and political views on a variety of topics open to the public. The problem—misconfigured user permission settings.
- October 3, 2017: A National Credit Federation cloud storage bucket was found to be open to public access, revealing personal, credit, and financial information of tens of thousands of its customers. The problem—misconfigured user permission settings.
- October 6, 2017: An Alteryx cloud storage bucket was found to be accessible to anyone with a free Amazon Web Services account. It exposed personal data, Experian marketing data, and US Census data for more than 123 million American households. The problem—misconfigured user permission settings.
- April 9, 2018: A flaw similar to Panera’s was discovered in P. F. Chang’s rewards website. The problem—an insecure API.
- April 23, 2018: After rebuilding their website following a ransomware attack, MEDantex’s new customer portal contained abilities intended only for employees, including accessing confidential patient records without authentication. The problem—a bug on the website.
- May 17, 2018: LocationSmart’s demo feature is found to be able to track the location of almost any cell phone without the user’s consent. The problem—an insecure API.
What Does This Mean for a Small Business Owner?
These examples of private, financial, and personal information leaked unintentionally serve as a warning to all business owners. While there’s a sense of poetic justice that River City Media revealed their own criminal activities by forgetting to add a password, the truth is, not all data you could reveal belongs to other people. You can be a cyber threat to your own business.
Few businesses can run day to day without some amount of personal, customer, or vendor data stored either on their network or in cloud storage. The technicalities of properly configuring security for these electronic databases can be daunting, but even when things appear to be simplified for you, all it takes is one open port, one missing password, or one unsecured application for the door to your data to be left wide open.
This is why it’s vital for businesses to have their systems set up by IT professionals and to perform network security audits routinely to ensure both the hardware and the software are configured correctly. It’s not enough to simply hire an IT consultant once and assume your system is secure. Files get moved, employees are hired, and new hardware is installed—all leaving room for new settings to supersede old ones, or worse, be forgotten all together. A network security audit performed at least annually gives you peace of mind that your cyber doors are tightly closed and locked.
What Should You Do to Protect Your Business?
While it’s crucial to know how to avoid opening the door to criminals, knowing how to respond to a breach is just as important. Here are a few simple steps you can take to avoid or address an accidental data breach.
- Hire IT professionals to set up all hardware and software. Your customers trust you to be the expert in your field, so trust the IT professionals to be the experts in theirs. Make sure all your hardware and software have been properly configured from the start.
- Perform annual network security audits. Just because you configured everything correctly, doesn’t mean it will stay that way. Your business changes all the time, so it’s best to check the doors and windows before someone else notices they’re open.
- Know your hardware. Many business owners don’t realize what’s in their hardware closet. Can you point to your hardware firewall with confidence? Are you certain it’s the correct type for your business? Ask an IT professional to review your hardware with you so you understand what you need and how it works. Doing so will improve your ability to spot potential problems.
- Have a way people can contact you about problems they find. One lesson learned from the Panera breach is how important it is that people can contact you with problems they’ve noticed. Many security researchers who find flaws due to misconfiguration just want you to know about the issue so it can be resolved. Make sure they can get in touch. Larger companies should have separate contact information specifically for security issues to keep them from being lost with other routine technical issues customers might have.
- Respond quickly to any problems found. Don’t wait eight months or for public embarrassment to sound the alarm before responding to an accidental data breach. If you act swiftly, your data may still be kept safe. In many accidental breaches, the problem was found not by criminals but cyber researchers.
No company wants to find themselves in a situation like Panera’s, so make sure your network security is done right. If you’d like to learn more about configuring your systems or to schedule a network security audit, contact Anderson Technologies by phone at 314.394.3001 or by email at firstname.lastname@example.org.
It has been over six months since the massive hack of credit monitoring company Equifax, and over three since the attack was disclosed. We now know that 145 million Americans (and 15.2 million Europeans) have been affected.
Due to the data stolen—names, social security numbers, addresses—the victims of the Equifax hack must be wary of their credit for the rest of their lives. Attackers can use leaked data to create profiles for spear phishing attacks or round out existing profiles, making identity theft even easier to perpetrate.
We covered the data breach in a previous blog post, “Equifax Hack 101: What You Need to Know to Keep Your Credit Safe,” but the news hasn’t stopped rolling in. In this post we address new developments, and additional actions you, as an individual or as a small business owner, can take to mitigate the hack.
Protecting Your Personal Data
Our initial post details credit monitoring and credit freezes. Some agencies recently introduced a “credit lock,” which they claim is easier and less expensive for the user while also more effective. The difference between a lock and a freeze is that a freeze is state-monitored, and a lock is controlled by the company only. “I take strong exception to the credit bureaus’ increasing use of the term ‘credit lock’ to steer people away from securing a freeze on their file,” says Brian Krebs of Krebs On Security. Don’t be fooled by credit lock offers.
You can also talk to lenders (mortgages, banks, etc.) about what steps they are taking to prevent someone from misusing leaked information. Challenge these organizations to take additional steps like providing internal credit monitoring alerts to keep customers safe.
Tax return filing fraud is one thing that credit freezes or monitoring cannot protect. File as early as possible to prevent your refund from going to a scammer. This is not a new problem. The IRS recently issued reminders and new alerts regarding tax fraud.
While most of the information obtained from the Equifax hack was actually already in the hands of tax fraudsters, remain vigilant because criminals are continuing to adjust their tactics. The IRS even reports instances of fraud targeting hurricane victims and tax professionals in addition to the average citizen.
The Troubling Behavior within Equifax
The hack itself isn’t the only problem with Equifax.
After a data breach, many companies are able to save face by being upfront with customers, providing adequate solutions, and cracking down on security. Unfortunately, Equifax missed these cues.
The site Equifax set up for customers to check if they were affected by the hack continues to cause problems. Because Equifax failed to secure similar domains it was susceptible to phishing scams. Thankfully, the third-party sites (one actually directed to by Equifax itself) were benevolent—pointing out how easily scammers could use a similar domain to obtain your information. Then, in early October, Equifax temporarily took down a page about the hack because it, too, had been hacked. Criminals injected malicious code to trick users into downloading adware from fraudulent links.
As of November 3rd, Equifax’s internal investigation into allegations of suspicious trades made by top Equifax executives concluded that none of their employees were guilty of insider trading. These allegations are still under investigation by the House Financial Services Committee.
Moreover, Equifax was allegedly warned about the vulnerabilities to its systems one year ago in December by a security researcher. “These allegations, if accurate, reinforce indications that Equifax—which has a significant business selling data protection tools—was shockingly negligent and incompetent when it came to security,” says Jeff John Roberts of Fortune Magazine.
These problems have been a cause of concern for many consumers, however it is important to note that Equifax is continuing to offer credit freeze at no charge through January 31, 2018, and, through TrustedID, offers free credit monitoring and up to $1 million in identity theft insurance.
Can We Expect Any Changes to the Industry?
Beyond being proactive with your personal protection, customers must look to Congress and other government agencies to implement changes. Speak to your representatives about your concerns for the future. Many are already investigating reasons why the Equifax hack was possible and ways to prevent hacks like it in the future.
Laws also need to change regarding reporting compliance. Lawmakers and industry leaders agree that consumers should have been alerted to the Equifax hack far earlier.
In our initial article, we noted that several class-action lawsuits were being filed against Equifax; however, after an October 24 vote by Congress to disallow class-action suits against banks and credit companies, the future of these cases is unclear.
After initially trusting Equifax with a “bridge” contract for work on the IRS’s Secure Access program, the Government Accountability Office rescinded the contract, at least temporarily. They may work with another credit monitoring agency on the project, but some members of Congress are questioning the rationale behind trusting any credit bureau with so much data.
It’s possible we may be looking at the end of the social security number—or at least moving away from the strict reliance we now place on SSNs for identity. The best identity theft protection may be to stop using easily hacked information.
Tips for Small Businesses
Small businesses should look at the response from Equifax and at the controversy surrounding it and wonder what they can do differently when dealing with private information.
The first step for small businesses should be a thought experiment. Think about potential risk as well as known and unknown vulnerabilities in your internal network. Do you trust your current cyber security company to protect your data from a data breach? What are the consequences of a data breach like the Equifax hack in your company? What would the cost to your company be?
For many small businesses, investing in stronger cyber security protection is a clear solution. Your IT department or an outside cyber security company can help analyze your systems. If personnel are constantly putting out fires, as seems to be the case with Equifax, they may not be able to keep everything else up to standard.
Invest in security that provides monitoring, analysis, and dedicated attention. At Anderson Technologies, a St. Louis IT company, we often start with a full network audit, helping clients identify areas of concern and providing the path to a more secure network.
Beyond your network, take time to train and retrain employees on the technology used and best practices for staying safe, both online and off. The best identity theft protection is education. Get a free ebook from Anderson Technologies to teach your employees the foundations of cyber security safety now!
You may be sacrificing speed, security, and stability if you’re running solely on a wireless network. Traditional wired internet has many advantages for small businesses.
When it comes to network security and speed, it’s important to start from the ground up. Is the network for your small business wired, wireless, or a combination of both? On what equipment does the network run? What’s the difference between wired and wireless networks? While wireless networks have advantages, Anderson Technologies recommends a wired connection whenever possible. Here’s why.
One of Anderson Technologies’ clients experienced dramatically slow speeds on its wireless network prior to signing up for managed IT services. While the business paid for a 300-megabit connection, its laptops only accessed 1 to 12-megabit speeds! Its internet service provider was more than happy to increase bandwidth on the wireless router, but this added expense didn’t improve the usability of the network.
The Anderson Technologies team analyzed the office’s wireless network and discovered it broadcasted on a frequency with considerable interference from competing devices in neighboring offices. They upgraded the router and firewall hardware, which enabled the network to broadcast on unused, clear bandwidth. As a result, the client’s speed is now far closer to the 300-megabit connection it pays for.
Wireless networks are constantly competing against natural phenomena like lightning, other wireless networks in the area, and radio interference. All of which affect speed and performance. One of the biggest disadvantages of wireless networks is that they lose speed when the number of competing devices increases. With the expanding utilization of the Internet of Things, this problem will only continue to grow.
The Internet of Things (IoT) offers convenient features for security systems, lighting, and even appliances. However, these gadgets depend heavily on your wireless network. Have you ever noticed a loss in network speed around internet-connected devices? This is a common problem. Small businesses are increasing their reliance on IoT for the accessibility they provide, but the investment may be hurting their wireless network speeds.
Ultimately, wired networks are significantly faster than wireless ones. While Anderson Technologies’ client was happy to approach the 300-megabit speed for its wireless network, hardline wires can run at gigabit speeds. No matter what the provider-rated speed of a wireless connection is, real-world speed is always slower due to overhead, competing devices, interference, and network traffic. The advantage of a wired network is that it guarantees a faster speed from the beginning, and unlike a wireless network, it won’t lose speed when exposed to interference.
Compared to a wireless connection, a wired line isn’t affected by nature, equipment, and competing devices. Once installed, a wired network rarely breaks. This stability is vital to small businesses.
Another Anderson Technologies client previously experienced poor performance on its wireless network. In the middle of important tasks, the network would drop and then slowly come back online, requiring multiple restarts a day—losing valuable time and energy.
When Anderson Technologies performed a preliminary audit of the environment, the team immediately discovered the problem: poor equipment. The client was running the entire network on barely home-grade wireless access points (WAPs). On top of that, the WAPs were not situated optimally to provide wireless for the entire office.
Enterprise-level equipment is important for every small business network but especially for wireless connections. This technology is already running at a disadvantage, and subpar hardware won’t provide the wireless network a business needs.
If your business runs mostly on portable systems like laptops and other mobile devices a capable wired network is still possible. Investing in a dock for laptops is a great solution. They aren’t costly, and when a laptop is docked, it can access the advantages of a wired network.
Wired networks also outperform wireless when it comes to security. As seen in the recent KRACK threat, wireless security isn’t as robust as we once believed. With a wireless connection, web traffic travels via radio waves, and even encrypted traffic can be captured with proximity and the right malicious tools. It is more difficult for a criminal to access a hard-wired network.
Out of 600 small and medium-sized businesses surveyed for the 2016 State of SMB Cybersecurity Report, half had been breached in the past 12 months. While bigger targets make the news, this trend means the chances of your network coming under fire are high. Small businesses dealing in confidential internal and client data can’t afford to be hacked.
With threats to small businesses on the rise, many still don’t consider themselves vulnerable. Half of the small businesses surveyed at a recent conference said their wireless networks were not partitioned from visitor access. That means clients waiting in the foyer—or cyber criminals—were accessing the same network that housed confidential client data. Data sent on public wireless networks is simply not as safe as when a wired network is used.
Optimize Your Wireless Internet
If you do choose to go with a wireless network, here are some tips for getting the most from your connection:
- Identify busy wireless frequencies, and broadcast your network away from that traffic. This can help your network obtain the speed you pay for.
- Keep public and private access to your network partitioned. Visitors and users off the street don’t need to access private data vital to your business. Partitioning your network provides the customer service of a wireless network while keeping your business safe.
- Consider using a wired connection for stationary desktops and install docking stations for laptops. This allows fast, secure, and stable access to the wired network, while keeping a wireless connection available for mobile work.
- Update network equipment regularly.
- Use enterprise-level equipment.
- Contact an IT provider for tips catered to your business’ specific needs and goals
Anderson Technologies is a St. Louis IT consulting firm. Let us help you weigh the options of wired vs wireless networks for your small business. To see if you qualify for a free network audit, email email@example.com or call 314.394.3001 today.
Internet surfing on mobile devices has seemed relatively safe since the 2001 Wi-Fi security protocol update and the advent of wireless data encryption. The WPA2 encryption standard mostly shielded us from being hacked on our private networks. However, new research from Belgian cyber security expert Mathy Vanhoef exposes a threat that proves our false sense of security is coming to an end thanks to the Key Reinstallation Attack (KRACK) vulnerability.
What Is the KRACK WPA2 Hack and How Does It Work?
WPA2 (or Wi-Fi Protected Access 2) is one of the current wireless security standards. Unlike its predecessors, it securely encrypts web traffic by way of a “four-way handshake” process that randomly generates an encryption key every time a device with matching credentials accesses a wireless network. This handshake protects your private home and business networks different with four authentication exchanges, ensuring information you send back and forth over the network is safely encrypted.
The KRACK vulnerability interferes with the four-way handshake by way of the encryption key; KRACK records the key and reinstalls it to be used multiple times. This allows the attacker access to communications between your device and wireless access point, as well as any information that isn’t otherwise encrypted. Hackers could potentially view and steal your credit card information, passwords, shared files, and any other private information sent across the web.
One caveat of the KRACK vulnerability is that hackers need to be within the range of your Wi-Fi network. This means that your personal information is safe from hackers on the other side of the world, but anyone in close proximity could gain access to your network traffic if they have technical skills. And even though a hacker must be in range to exploit this vulnerability, it’s possible KRACK could be used for packet injection (explained here) or inserting malware or ransomware into websites.
How Can I Protect My Network Privacy?
Though KRACK is disrupting our WPA2 sanctuary, there are many ways to ensure you’re safe—or as safe as you can be—until the WPA2 protocol is updated to prevent these attacks.
- Update Your Router
Most people don’t think about updating their router in the same way you update your phone or laptop software, but this is a vital step to protecting your wireless network from KRACK. You can find instructions to update some of the more common manufacturers’ router firmware here. If your router doesn’t belong to one of the companies that has released a firmware patch, you should contact your internet service provider.
- Update All Devices with Wi-Fi Connectivity
Thanks to Apple and Microsoft’s specific implementation of WPA2, they aren’t as vulnerable as other devices. However, that doesn’t mean your iPhone is safe. Mathy Vanhoef’s blog publicizing the vulnerability includes a demonstration of an attack on an Android device and links to examples of bypassing encryption in Apple operating systems, as well as other common encrypted applications. Any device with Wi-Fi capabilities needs to be updated as soon as patches are released. In the meantime, use Ethernet or cellular data on your mobile device if possible.
- Utilize Other Methods of Encryption
Even when this WPA2 vulnerability no longer exists, you should make sure you’re communicating with websites securely. Many websites use HTTPS, which you may have noticed during browsing sessions. Thankfully, most websites that handle sensitive personal information (banking and financial sites, etc.) already default to secure browsing, which encrypts private data. Browser extensions like HTTPS Everywhere will force sites to browse securely when the option is available. Communicating over a virtual private network (VPN) also encrypts all traffic, rendering it safe from KRACK. However, be aware that VPN providers may store your data in other ways, so make sure to research and select a trusted company.
- Take Stock of Your IoT Devices
The Internet of Things, while still new technology, is notorious for its inherent security weaknesses. Any IoT devices you have connected to your wireless network may need to be disconnected until patches are available. Information from most IoT devices is probably harmless even if hackers were able to gain access to it, but unless each device encrypts traffic, your privacy could still be compromised.
Thankfully, this vulnerability is getting much publicity. The US Computer Emergency Readiness Team continues to update its list of over 100 vendors and their software updates, and none of the indexed vulnerabilities are yet known to be used outside of research. It’s unlikely that an everyday WPA2 user has been affected by this breaking vulnerability, but it would be wise to exercise caution until more information and software updates are released. Be wary of any unfamiliar wireless networks, and keep an eye out for any notices from your hardware and internet service providers.