Technology Advisor Blog

Cybersecurity - What is the cost to Small Businesses? Another factor to think about related to Microsoft Security Patches...

Posted by Ann Westerheim on 5/14/18 10:55 AM

App_Security_400We've all seen the headlines of the major cybersecurity incidents:  Target, Yahoo, Equifax, Sony, etc... Cybersecurity is a topic that affects everyone, and we view it as a public safety issue.  With all the headlines over the past years, at this point, most people "get it" that cybersecurity is a big problem, but the education can't stop there.   

Too many SMBs see the big companies listed in the headlines and  think they're "under the radar" when it comes to cybersecurity, but half of all attacks hit small businesses.   A big part of our mission at Ekaru is to bring enterprise class IT to small businesses, and security is a big part of it.

And there's more:  The headlines tell just part of the story -it takes a little more digging to identify the real costs.  As an example, the San Francisco metro system was hit by Ransomware over a year ago.  At the time, the network was held hostage for $73K.  All ticket point of sales systems were rendered useless, so to keep people moving, free fares were offered for the busy holiday weekend.  With an estimated 700,000+ rides per day at a fare of  $1 to $2.25, the system lost between $1.3M and $3.3M.  This figure includes lost revenue, and doesn't include all the round the clock work to restore systems from backup.

The cost analysis doesn't stop there, though.  Last week Microsoft released a critical zero-day security alert.  As bad actors continue to find and exploit cyber vulnerabilities, the major tech vendors continue to update products to address the vulnerabilities.

In the case of security patches, these are actually required by law by the MA Data Security Law, HIPAA, and other industry-specific regulations.  

 "For files containing personal information on a system that is connected to the Internet, there must be reasonably up-to-date firewall protection and operating system security patches, reasonably designed to maintain the integrity of the personal information. "

So here's the curve ball.  The critical security patch released by Microsoft last week had a bug:  systems that got the security patch lost their ability to connect to the network!  This meant that these PCs became basically useless until the network connections were restored.  This led to downtime at customer sites, and enormous efforts by IT support firms like Ekaru to restore connectivity for affected users.  As we consider the overall cost of security, the downtime associated with failed security updates is also a major consideration. 

To secure networks and comply with regulations, we rely on Microsoft to continually address security vulnerabilities with security patches.  With the complexity of modern computing systems we realize that things are changing all the time.  Going forward, more diligence by Microsoft in testing of security updates is needed - 2018 has gotten off to a rough start!  That said, our message to all SMBs is that the risk of not complying with security updates is far greater than the risk of the rare problem update. 

So we continue our message to all users that cybersecurity is a public safety issue and we're all in this together and we all need to do our part!

 

Tags: cybersecurity, ransomware, cybersecurity

Ekaru Now Delivers Dark Web Monitoring Services through ID Agent Partnership

Posted by Ann Westerheim on 5/9/18 8:29 AM

Ekaru Offers Monitoring and Alerting of Stolen Digital Credentials, Increasingly Valuable Asset on Dark Web

Hacker_BlogEkaru announced its new Dark Web monitoring services provided through its partnership with ID Agent, provider of Dark Web monitoring and identity theft protection solutions. With Dark Web ID, Ekaru offers around the clock monitoring and alerting for increasingly compromised digital credentials, scouring millions of sources, including botnets, criminal chat rooms, peer-to-peer networks, malicious websites, bulletin boards and illegal black market sites.

 “Too many small businesses think that they’re “under the radar” when it comes to cybersecurity.  Users have weak passwords and often reuse passwords at multiple sites.  About half of all cyber attacks hit small businesses, but they just don’t make the headlines like the big companies.  It’s been Ekaru’s mission from the beginning to support and protect small businesses”, said Ann Westerheim, PhD, President at Ekaru.

 The Dark Web is made up of various digital communities, and while there are legitimate purposes for the Dark Web, it is estimated that over 50 percent of all sites on the Dark Web today are used for criminal activities, including the disclosure and sale of digital credentials. 

 “Digital credentials such as usernames and passwords are widely used to connect to critical business applications – the reason these credentials are among the most valuable assets found on the Dark Web,” said Kevin Lancaster, CEO of ID Agent. “Unfortunately, the unaffordability of cyber offerings has played into the cyber poverty line experienced by small businesses. Dark Web ID, however, delivers an affordable model that provides small businesses with the same advanced credential monitoring capabilities used by Fortune 500 companies to organizations in the SMB and mid-market space.”

Dark Web ID is the industry’s only commercial solution available to detect customers’ compromised credentials in real-time on the Dark Web. It vigilantly searches the most secretive corners of the Internet to find compromised data associated with your customers’ employees, contractors and other personnel, and notifies them immediately when these critical assets are compromised. There are a few competitors in the market but none completely focused on the Dark Web as ID Agent’s solution.

About ID Agent

ID Agent provides a comprehensive set of threat intelligence and identity monitoring solutions to private and public sector organizations and to millions of individuals impacted by cyber incidents. The company's flagship product, Dark Web ID, combines human and sophisticated Dark Web intelligence with capabilities to identify, analyze and monitor for compromised or stolen employee and customer data, mitigating exposure to clients’ most valuable assets – their digital identity. From monitoring your organization’s domain for compromised credentials to deploying identity and credit management programs in order to protect the employees and customers you serve – ID Agent has the solution. For more information, visit: http://www.idagent.com or go to LinkedIn, Twitter or Facebook.

About Ekaru

Ekaru has been a leading provider IT support services, hosting, and data protection to small and medium businesses since 2001. Our curated technology platform is designed to give you the level of support you need, with a budget that fits, so you can focus on your business.  For more information, visit www.ekaru.com or go to LinkedIn, Twitter, or Facebook.

 

Contact:                                                          

Ann Westerheim, PhD

Ekaru

978-692-4200

awesterheim@ekaru.com

Tags: cybersecurity, data security

Cybersecurity - Why you  need to train your employees

Posted by Ann Westerheim on 5/3/18 3:13 PM

In case you missed it... here's a review of our latest webinar on cybersecurity from earlier today.

Train, test, and prevent Cyber attacks.  Big companies make the headlines when there's a cybersecurity breach, and too many SMBs believe they are "under the radar". Today's threats are automated, and everyone is at risk.  Some reports indicate that up to 95% of breaches are caused by human error.

Will your employees click on that link they're not supposed to click?  Do they know not to install a USB stick labeled as "Company Financials"?  Cybersecurity protection requires layers of protection with attention to Technology, Process, AND People.

Training your employees is specifically required by the MA Data Security Law and other industry specific regulations such as HIPAA.  There's no such thing as 100% security, but don't leave your network exposed to avoidable human errors, and don't take on the liability of knowingly ignoring the law.

The Employee Security Training program is a cost-effective way to increase security and protect your business, and demonstrate compliance to training requirements of the MA Data Security Law, HIPAA, and other industry specific security compliance requirements.

Here's a recording of today's session on cybersecurity and employee training :

To learn more about the training platform and sign up, visit www.ekaru.com/training.

Tags: training, cybersecurity

Cybersecurity is a LOCAL issue - Massachusetts school district pays $10,000 ransom to unlock its files after cyber attack.

Posted by Ann Westerheim on 5/2/18 3:59 PM

This past week a Massachusetts school district paid $10,000 ransom to unlock its files after a cyber attack.  The Police Chief commented that there is no further investigation of this crime because solving this crime is "impossible". This is unfortunately a sign of the times.

 

At Ekaru, it's been our mission for years to SECURE and EDUCATE our small business clients.  All of us see headlines in the news when big companies get hit with a cyber attack,  and too often we think that's a problem that only happens to large well known companies  (Sears, Equifax, Sony, Target, etc). 

Today's modern threats are automated and indiscriminate.  ANYONE,  no matter how big or small can get hit with a cyber attack.  When an attack is local, it's a reminder that cybersecurity affects ALL of us, and this is a matter of public safety.

In the case of the school, its unclear how the ransomware got onto the network, but one of the most common attack vectors is email, so its vitally important to train employees.  Clicking on phishing emails and using weak passwords are easy to fix with some security awareness education.   In addition, its clear that the school district didn't have a disaster recovery plan or even a robust backup if they had to pay the ransom.  

We're working to spread the word that with some technology, process, and people fixes (training!), we can all greatly reduce the threat of cyber attacks.

Unfortunately, sometimes it takes a case close to home to remind us of how real these threats are.

To read the full article, go to cbsnews.com.

Tags: Cybersecurity, email scams, cybersecurity, ransomware, cybersecurity

Sending an email to more than just a few recipients? DON'T hit the send key before reading this....

Posted by Ann Westerheim on 4/16/18 3:54 PM

eMail-BulkMailYou need to send an important update or invitation to all your clients and you're ready to hit the "send" key.  Don't!  

If your eMail hosting provider or Internet Service Provider sees a lot of mail coming from you that looks the same, this will be categorized as "bulk" commercial mail and you may unwittingly violate the acceptable use policy of your provider.  Even though these would be emails people want, the systems and algorithms in place can't tell the difference between your well-crafted invitation to a high-quality event, or highly thoughtful customer update, and the massive amount of spam on the Internet.   

To send bulk mail, first you must comply with the current anti-spam laws, and then you need to find a way to successfully deliver your mail.

You must have permission to send the mail via an opt-in process (such as a newsletter sign up), or implicit permission such as an established client relationship.  The CAN-SPAM Act of 2003 puts into law the differentiation between legal and illegal commercial email.  Commercial emails are considered legal if they adhere to the following standards:

  1. The header of the commercial email (indicating the sending source, destination and routing information) doesn't contain materially false or materially misleading information;
  2. The subject line doesn't contain deceptive information;
  3. The email provides "clear and conspicuous" identification that it is an advertisement or solicitation;
  4. The email includes some type of return email address, which can be used to indicate that the recipient no longer wishes to receive spam email from the sender (i.e. to "opt-out");
  5. The email contains "clear and conspicuous" notice of the opportunity to opt-out of receiving future emails from the sender;
  6. The email has not been sent after the sender received notice that the recipient no longer wishes to receive email from the sender (i.e. has "opted-out"); and
  7. The email contains a valid, physical postal address for the sender.

Source:  Cornell Law School: Legal Information Institute.

Even if you follow all these rules, now you need to find a way to deliver your mail to your recipients.  Your email hosting provider or Internet Service Provider will not be reviewing the contents of the email so they may just block you.  If you plan to use any bulk email, we recommend Constant Contact or Hubspot to send your mail.  There are also many other excellent providers, but these are the ones we use and recommend.

We've seen clients try to work around the bulk mail limitations by sending mail in batches or by trying to hide the number of recipients in distribution lists.  It won't work! Computer systems are very good at recognizing patterns and you won't outsmart the system.  Blocking an individual sender, which is highly inconvenient for that sender, actually protects you from the worse situation of having your entire domain blocked.   If your domain is blacklisted, it will take time to get off the black list, and in the meanwhile, no one in your company will be able to send email.

Why do eMail hosts and Internet Service Providers block mail?  They're trying to cut down on the spam that ties up about 90% of email traffic.  Many viruses attack PCs by turning them into "zombies" that send mail on behalf of spammers.  This ties up valuable resources, so the hosts and Internet Service providers want to stop it... and unfortunately they wind up stopping the "good guys".

After you comply with all the rules, and use the right platform, keep in mind that if customers "unsubscribe" then you can't add them back on to the list.  We recently sent out an important customer update, and found that a few customers didn't receive it because they had unsubscribed from our newsletter.   Focus on high value information, and use your bulk mail sparingly to keep the retention level high.  You may also need to do some customer education around what you're trying to achieve with the notifications so they won't just de-clutter one day and cut off all communications (and then ask why they didn't get the important update).

Bottom line, don't fool around with bulk mail.  eMail is a great way to get the attention of your clients directly in their inbox, but be informed and responsible before hitting that "send" button!

Tags: eMail, email security

Help! Sent Items Folder in Outlook Only Shows My Name

Posted by Ann Westerheim on 3/23/18 10:16 AM

We hope you're keeping up with organizing your "Inbox" in Outlook using different folders to group your mail.  You may also want to organize your "Sent Items" folder into different sub-folders.  Perhaps you have some company related emails you want to group or perhaps you want to track your sent items by major projects.  If you add a sub-folder, you may be alarmed to see that all the mail is listed with your name.  As you can see below, my messages in my newly created "TEST FOLDER" folder for sent messages are all listed by who sent the message.  Me!  Not helpful.  I already know who sent them!

Un-sorted SENT Folder.jpg

By default, a folder in your "Inbox" is  listed by who its "From", and messages in your main "Sent Items" folder are listed by who they are "To".  When you create a new folder, by default, the folder organizes the mail by who it is "From".  This is not helpful when you're looking at sent items.

The fix is very easy.  Under the "View" tab, select "View Settings" (look for the gears), and then select "Columns".

Advanced View Settings - Outlook.jpg

Within the Columns page, select "To" from "Available Columns" and move it to the right side, "Show these columns in this order".  It needs to be moved up to replace the "From" (You can remove "From", but the sort will work if you just move up "To" above "From".

Select TO in Columns.jpg

Select "OK" and now you'll see your sent mail presented in a more useful way, that is by who it is "To":

Sorted SENT Folder.jpg

Have fun organizing your mail!

Tags: Microsoft Outlook

Facebook Privacy - Big Brother is watching you and has been for a long time!

Posted by Ann Westerheim on 3/22/18 1:44 PM

Privacy-On-Line.jpgFacebook is in the news recently for some not so good reasons.  In case you missed it, a research firm called Cambridge Analytica harvested the personal information of 50 million Facebook users, and used this to "influence" the Presidential election.  After days of silence, Facebook executives have finally come forward and would like users to think that this was an isolated case by some bad actors, but the real problem here is that this actually hits at the core of the Facebook business model.  

Just stop and think for a minute about how a company can make Billions of dollars giving away a "free" product.  Well, it just doesn't add up.   All the information you post on line, or "like" reveals a lot about who you are, and this is very valuable to advertisers.  You may not like the political candidate who benefited from this particular use of the platform, but Coca Cola, car companies, and just about everyone who advertises on line is basically working the same way.  They're using your profile to influence you too.  

This past December, several US employers were accused of age discrimination over ads placed on Facebook (Source: Fortune).  Companies such as T-Mobile, Cox Communications, and Amazon imposed age limits for people who could see recruitment ads, limiting some to people under 38.  Are you okay with that?

Marc Goodman's bestselling book "Future Crimes" devotes a chapter to this topic:  "You're not the customer, you're the product".   (We highly recommend this book!)  The latest scandal is a wake up call to everyone online to think carefully about privacy.  The connected world provides so many opportunities for us, but too many users are oblivious to the lack of privacy on line.  You may be okay with your current level of privacy, and may even welcome some targeted ads, but let it be a fully informed decision on your part.

For more details, and specific recommendations for reviewing and changing your privacy settings on Facebook, or perhaps even removing your account, we recommend The Complete Guide to Facebook Privacy in Wired Magazine.  Get informed, and take control of your online presence. 

Tags: cybersecurity

Phishing:  Would your employees click on any of these emails?

Posted by Ann Westerheim on 3/15/18 2:02 PM

Phishing with Fish.jpgEveryone thinks they won't click on a phishing link, but when we run tests, there's always someone who does!

Phishing is the leading tactic used by today's ransomware hackers, typically delivered in the form of an email designed to impersonate a real system or organization.  Often created to deliver a sense of urgency and importance, the message within these emails often appears to be from the government or a major corporation and can include logos and branding.  They look like the real thing!

Would any of your employees click on these emails?

  • Tax Refund - Recipient is due a tax refund and directed to a site to claim their refund.
  • Bank Account Low Balance - Recipient receives a low balance alert in the bank account and gives them the option to check their account.
  • Amazon Security Alert - Alerts Amazon customer that there were several unauthorized attempts to access their account from an unknown device
  • DocuSign Signature Request - Recipient is sent a request to electronically sign a document
  • Webinar Reminder - Recipient is sent an email reminder that the webinar will begin in 1 hour.
  • Netflix Account Reset - Netflix password has been reset and asks the target to change their password.
  • IT Reset Password - Email sent from IT asking to reset password
  • eFax Email - eFax email with instructions to download the electronic fax.

These are all examples of typical phishing scenarios, and are actual emails we use as part of of cybersecurity training.  Everyone thinks they won't click on the link, but when we run training tests, there is always at least one person who clicks on the link.

In a test scenario, the user is just warned that they made a mistake and its an educational moment.  However, if the email was malicious, this could take down an entire organization with ransomware.  

The concept of a "human firewall" is getting a lot of attention these days.  A network firewall, security patch updates, DNS protection, and all the technical layers of protection needed for responsible network protection are just part of the solution.  The behavior of all users on your network will also impact your security (and the bad actors know it!).  Don't forget employee security training as part of your overall cybersecurity strategy.

Tags: Microsoft Security Patches, cybersecurity, ransomware, training, HIPAA

Texting, eMail, and HIPAA

Posted by Ann Westerheim on 3/12/18 1:15 PM

HIPAA.jpgAt the HIMSS Healthcare IT Conference last week in Las Vegas, Roger Severino, Director of the US Department of Health and Human Services Office for Civil Rights (OCR), the HIPAA enforcement agency, made some news when he said that health care providers may share Protected Health Information (PHI) with patients through standard text messages. Providers must first warn their patients that texting is not secure, gain the patients’ authorization, and document the patients’ consent.  Note that this only applies to communications with patients.

This expands the previous 2013 HIPAA Omnibus Rule on emails which allows providers to email patients as long as the provider notifies the patient that email is not secure AND gains their consent.

Note that emails through free email services are NOT secure.  Google, for example, reserves the right to "use...reproduce...communicate, publish...publicly display and distribute" your email messages.  Most users don't read the lengthy terms of use and are surprised to hear this.  Health care providers must use encrypted email or secure email systems to communicate ePHI outside of their networks.

The baseline services we provide through our service plans such as firewalls, security patch updates, antivirus updates, etc, are an important foundation of the technical requirements for HIPAA, but there is so much more to it, and we want all our clients to be fully aware of all the requirements.  Contact us if you want to set up a complimentary HIPAA review.  The more you know the better!

For more details, read the full article by Mike Semel of Semel Consulting and author of How to Avoid HIPAA Headaches, who is one of the experts Ekaru follows for HIPAA information.  We also cybersecurity training and a HIPAA compliance platform to help in your compliance.

Tags: Compliance, cybersecurity, data security, HIPAA

Technology, Patience, and Wireless Displays... Lesson Learned.

Posted by Ann Westerheim on 3/2/18 2:15 PM

Wireless Display.jpgI love technology!  It's amazing that I can project the screen of my laptop across the room to a large TV ... through the air!  No cables or connections needed.  Wow!

I also get really frustrated with technology.  For no known reason, my wireless connection was dropping all the time during meetings.  I checked my power settings, the display settings, and tested whether or not it mattered if I was plugged into power or not.  I tried using the native "smart TV" connection but my image was getting stretched.   I was getting very frustrated and obsessed with making it work.

Finally after testing so many different settings, I just bought a new display adapter.  I paid about $50 for a new Microsoft Display Adapter, and I've had it powered on all day to test it.  Not a single drop out!

Working in technology we face challenges every day.  One of the things don't allow in our office is the phrase "it should work".

When you consider the technology "under the hood" that lets me magically connect to the screen, it really is amazing.  The challenge every day is to make smart choices to maximize our technology success and success for our clients.   When do you keep troubleshooting, and when do you take a fresh approach.

Spending about $50 on a new display adapter was the smart fast choice.  I still don't know why the other one didn't work well consistently, but I can appreciate that spending a relatively small amount of money to fix the problem was the smart thing to do.  I like the Microsoft version becuase it's so quick to launch from Windows 10, and it adjusts the screen aspect ratio nicely with no adjustments.

As I type this I'm watching the big screen across the room.  Magic!

 

 

Tags: Microsoft Display Adapter

Subscribe by Email

Most Popular Posts

Browse by Tag

See all tags...

Connect With Us

Older Blog Posts

For older Ekaru blog posts, go to ekaru.blogspot.com.