Technology Advisor Blog

National Cybersecurity Awareness Month is drawing to a close, and its been a great month to have a lot of conversations with local businesses in the metro Boston area.  Threats against big businesses make the headlines, but too many smaller businesses think they're "under the radar".  Not true!

Here are some of the common misconceptions:

• I thought we already had security
• The threat level has increased significantly the past few years, and the foundational security (antivirus protection, security patches, etc) which we have always recommended just isn’t enough anymore.
• It’s too expensive
• Businesses need to assess risk level and balance with cost.  It is very important to fully understand the cost of down time.  What would happen if you didn’t have any of your data for weeks or if you could never restore it?  Think through all the costs of NOT taking action.  Every business will have a different acceptable risk level, and the time to think this through is BEFORE an event.
• I’ll just pay the ransom
• This should be a last resort.  There is no way to know for sure that you’ll get your data back, AND there’s no way to know for sure that your systems are free of threats after the fact.  You are paying CRIMINALS.
• I’m not a target.  I’m just a small business
• Threat actors don’t care about your data.  What matters is how important your data is to YOU.  Targeted threats are actually very rare, and most people are hit with automated threats of opportunity.
• My data isn’t that valuable
• Credit card numbers and social security numbers aren’t worth that much to thieves.  But how important is access to your data FOR YOU?  Can you run your business without your data and your computers?  What would your employees do?
• I have insurance so I’m all set
• Check your policy carefully.  You may not be fully covered, there may be exclusions, and there may be delays in payment.  Far better to avoid the downtime in the first place!  Can your reputation be fully restored?  Will your clients trust you again?
• A cyber incident wouldn’t really affect my business
• If you don’t have access to your computers or data for weeks or forever, how will you operate?  Work through these scenarios BEFORE you have a threat!

There's no such thing as 100% security.  It's a moving target and the best you can do is to help reduce your risk.  Layers of security or "security in depth" is the best approach.  With more technology protecting you, human behavior is key.  ONE person clicking on the wrong link can take down your network, and we strongly advise conducting ongoing Security Awareness Training - not just during Cybersecurity Month!

 

Hardly a day goes by without national news related to Cybersecurity.  Target, Marriott, Yahoo, Facebook, and Home Depot have all had major incidents in the past few years.  In addition, the cities of Atlanta and Baltimore, as well as many municipalities in Texas have all been hit with Ransomware in the past two years.   Locally in the Boston area, schools, police departments, and several towns have all been hit.

At this point, everyone's aware of the big headlines, but too many small and medium businesses have heard the headlines and created a false sense of security thinking only bigger targets need to worry.  In fact, over half of cyber threats hit smaller businesses, but individually, none of these is big enough to make national news. 

Why are so many smaller businesses at risk?  Many modern threats are automated, and cybercrime is now bigger than all other forms of organized crime.  Simply put, it's become a money maker for thieves.  As a small business, what would it mean for you to lose all access to your data? Perhaps you have a backup, but it could take weeks to recover.  Often the backup is wiped away during an attack, and it wouldn't even be available to you. The threat actors don't care about how important your data is to them, they care about how important it is to YOU.

A layered approach to security is advised.  This is also often called "Security in Depth"  A business class firewall, antivirus protection on all systems, Security Patch Updates, AI based threat protection, DNS management... all of these are important.  Tools that were previously only affordable to larger enterprises are now affordable to small businesses.   When we engage with a business to provide IT support, the first thing we do is install a long list of security layers.  No security is 100%, but implementing security layers greatly decreases your chances of being attacked. 

However, as protection layers increase, the treat actors get more an more creative and think of new ways to get threats onto your network.   In the Verizon 2019  Breach Investigation Report, the typical company reports that 94% of malware enters networks through eMail.  Training users on what to click on and what to avoid therefore needs to be a major priority.  

There are still a few days left in October for Cybersecurity Awareness Month, and it's always a good time to train your team.  Many of the businesses we work with sign on for our formal training platform, but ANY training you do, even just once in a while will help.  The Department of Homeland Security has some great links in support of Cybersecurity Awareness Month.    The theme is OWN IT, SECURE IT, PROTECT IT, and the site has some great informational handouts for your team.   The handouts include information on Travel Tips, Strong Passwords, MFA (Multi Factor Authentication), Phishing, Social Media, and more.  All are free and available to everyone.  If you're not incorporating security discussions in your staff meetings, then now is the time to start!  

Call to action!  Review the tip sheets listed above and review at least one at your next staff meeting.  If you're a small business in the greater Boston area, reach out to us and we'll schedule a complimentary review of your IT infrastructure and security and we'll provide more detailed and specific recommendations.

Each year Verizon publishes the much-anticipated Data Breach Investigations Report (DBIR).  The report is built on real-world data from 41,686 security incidents and 2,013 data breaches provided by 73 data sources, both public and private entities, spanning 86 countries worldwide.    We'll cover some of the key take-aways in this post, and if you're interested in more information, we recommend checking out the full report.  

One of the key take-aways is that small businesses are a prime target with 43% of breaches affecting SMBs.  Too many small businesses believe they're under the radar and this isn't the case.  Large, well-known businesses make the headlines when a breach occurs, but SMBs aren't safe.  Ransomware as a service has become a big money maker.  Any business that stores financial or other protected information is a target, and in the case of ransoware, what really matters is how important is the data to you.  Can your business run without access to your data for days or weeks while you try to recovery from a ransomware attack?    

Another significant data point  is that email is still the top threat vector for hackers to deliver malware to targets. After reviewing millions of malware detonations, Verizon found that the median company received over 94% of their detected malware through email.  We have a mantra:  "Think before you click!"  Fake invoices, fake resumes, fill inboxes of busy professionals.  We strongly recommend email security scanning AND employee training based on actual phishing test cases.

One of the biggest concerns from the report is that while attackers are quick to extract stolen data, defenders are distressingly slow to detect that compromise even occurred. On average, 56% of the breaches identified in this report ‘took months or longer’ to discover. The time it takes hackers to gain a foothold then actually compromise the asset can be measured in minutes. Many businesses don’t realize they are breached until the stolen info becomes public.  We strongly recommend detection tools and Dark Web monitoring to help make sure threats are detected early for the fastest response.

Data breaches continue to make headlines and this is the world we now live in.  It seems no matter what defensive measures security professionals put in place, attackers are able to circumvent them.  No organization is too large or too small to fall victim to a data breach and no industry vertical is immune to attack.  It's a scary situation, but there's actually a lot you can do at an affordable price to stay protected.

Having a sound understanding of the threats you and your peer organizations face, how they have evolved over time, and which tactics are most likely to be utilized can
prepare you to manage these risks more effectively and efficiently.   We strongly advise all businesses to work through a disaster recovery plan to make sure you have the right safeguards in place appropriate to the size of your business, and to maximize your chances of a speedy response to a threat.   The great news for SMBs is that many tools that were previously only available to enterprise class businesses are now available at an affordable SMB price.  The foundational security from years past, (firewall, antivirus, and security patches) are NOT enough to have an adequate protection level for today's threats.   

Call us for a security assessment and we'll help make recommendations to stay protected.  

 

This past month Ekaru hosted a lunch and learn with over 50 local business leaders.  Education and "the human firewall" are key components of any cybersecurity plan, and we're on a mission to educate our community.  Here's a re-cap of the event.

The average cost of a cyber attack for a small business is $53,970.  Big businesses make the headlines, but half of attacks are hitting smaller businesses.  Cyber crime is now bigger than all other forms of organized crime combined!

To set the stage, we opened with a short video from Jimmy Kimmel Live.  If you haven't seen this yet, its worth watching!

It's very important for business owners to understand that the threat actors can leverage the bad habits of well-meaning employees.  Are you using the same password for many on-line applications?  Are you sharing passwords?  Are they easy to guess?  Who in your organization will click on the bad link in an email and unknowingly help launch an attack?  

In 2018, the Internet Crime Complaint Center (IC3) received over 350,000 complaints representing over $2.7 Billion in losses.  Some of the major categories include BEC - Business eMail Compromise - whereby a threat actor will impersonate a known person to steal money, most commonly by wire transfer.  Other types of threats include fake tech support scams, credit card scams, non-payment or non-delivery scams, and the list goes on.  With the availability of crypto-currency, criminals can hide their identity and they're motivated to invent new attack methods. 

Research by Barracuda Networks shows a "startling rise" in the number of Account Takeover Attacks for Office 365 suggesting that hackers impacted 29% of organizations in March of this year alone.  

One of the factors driving the rise in cyber crime is the convenience we all expect from our technology to be able to work from anywhere on any device.  In years past, a business would keep all computers in an office protected by a firewall.  Now the laptops, tablets, and smart phones travel all over and they're harder to protect.

Some of the cybersecurity myths commonly held by small businesses include:

• SMB owners don't believe their information is valuable to hackers (in a Ransomware attack, the only thing that matters is how important your data is to YOU).
• SMB owners think that cyber crime won't happen to them and that it only happens to big companies.  Actually half of attacks hit smaller organizations, but they don't make the headlines.
• SMB owners think their IT team has everything covered.  The reality is that the foundational security that's typically delivered (firewall protection, antivirus, security patch updates) just aren't enough anymore!

Some of the many different types of attacks were discussed in more detail.  The bottom line is that there's a lot of money in cybercrime these days, and the threat actors are very clever in finding new ways to attack.

We recommend a frame work of thinking about the roles of the data owner (the business owner), the Information Technology (implementing and maintaining data systems), and Information Security (risk insights and mitigation strategies).  We recommend starting with a Security Risk Assessment to understand what critical data needs to be protected, where it is located, and how it is protected.   Then the gaps in protection can be more clear.  Each business owner needs to make an informed decision about the acceptable level of risk and security.

One of the analogies we encourage business owners to consider is how you protect your home.  The first step is to identify what you're protecting (family members, pets, documents, valuables, etc).  Then you can consider the various ways to protect your home (locks, doors, windows, yard signs, etc). For detection, there are many options for alarm systems,  motion sensors, cameras, etc.  The next two areas are Response and Recovery. 

Consider how you would change your home security if you learned about a major crime wave in your neighborhood.  Effectively, this is what's happening in cyber space right now.

The biggest threats we're currently seeing for SMBs involve Ransomware.  In a Ransomware attack, the business data is encrypted and held hostage for a Ransom.  There's no guarantee that you'll get your data back from the criminals if you pay the ransom, and you'll be targeted for more attacks.  Cyber Insurance typically won't cover all the damages.  We covered a few exampled in the presentation of an innocuous looking email arriving at the company, such as a resume, and hard working employees accidentally opening the email and inadvertently assisting in the launch of an attack.  Also in in other types of emails, passwords can be compromised and then wind up on the Dark Web.  

Education is a key first step to understanding the threats.  It's important for businesses to make sure all employees know about the risks and what to look out for.  In fact, the Massachusetts Data Security Law (and various other industry regulations such as HIPAA) REQUIRE on-going employee training.  

Next on the list is a complete assessment to understand the current state of security and identify the gaps.  There's no such thing as 100% security, but there are many affordable options for small businesses to increase security and decrease risk.

Call us for an assessment or for training for your employees.  We're here to help!

 

 

The IRS has issued a reminder to all practitioners that all "Professional Tax Preparers" must create a written data security plan to protect clients.  

The IRS and Security Summit partners are reminding tax preparers to take time this Summer to make sure the plan is in place.  It's required by Federal Law!

“Protecting taxpayer data is not only a good business practice, it’s the law for professional tax preparers,” said IRS Commissioner Chuck Rettig. “Creating and putting into action a written data security plan is critical to protecting your clients and protecting your business."

The FTC-required information security plan must be appropriate to the company’s size and complexity, the nature and scope of its activities and the sensitivity of the customer information it handles. This is very similar to the Massachusetts Data Protection Law requirements that went into effect in 2010. 

According to the FTC, each company, as part of its plan, must:

• designate one or more employees to coordinate its information security program;
• identify and assess the risks to customer information in each relevant area of the company’s operation and evaluate the effectiveness of the current safeguards for controlling these risks;
• design and implement a safeguards program and regularly monitor and test it;
• select service providers that can maintain appropriate safeguards, make sure the contract requires them to maintain safeguards and oversee their handling of customer information; and
• evaluate and adjust the program in light of relevant circumstances, including changes in the firm’s business or operations, or the results of security testing and monitoring.

Its important to note that the plan is to be designed around the company’s size and complexity.  The security coverage doesn't need to be expensive, but it needs to be comprehensive.  There are so many affordable options available to smaller organizations, so don't put this off and risk your clients and your reputation.

Summer is a great time to step up security!  Ekaru has a lot of training materials and affordable security options for small businesses, so if you have any questions about your existing security and risk level, give us a call!  

For more information, you can access the full IRS post here.

Every Employee Matters
Whether your name is on the sign out front, or you're in a leadership role, or you're just an entry-level employee, the success of the business is in your hands. In that role, you know that each department feeds into the overall health of the business, and you need to ensure everyone, and everything is operating at maximum wellness.

Most of these divisions, or departments, within your business are affected first by the employees who are working within them. By getting all employees on board with security awareness you can address a multitude of threats and risks to your success.

It Takes a Village
Strong leadership helps create a culture where each employee and department feels that they are relevant and part of the company’s success. Part of that success means avoiding the threat of a breach which could very likely destroy your business’s future. Asking for their buy-in means making them feel relevant and valued as not just a risk, but as a part of the success. Today's threats are automated and indiscriminate. Employees need to know that it isn’t just high-level executives who are targets for a data breach. Their level of access or knowledge can be used as a gateway to obtaining any information within a company. Everyone matters – and unfortunately, that makes everyone a target.  Turn the conversation around and show how everyone can help!

This can help to facilitate a team environment where no man left behind becomes part of the culture. There is a tendency to look out for each other when you know that one of you is not dispensable. Create and cultivate that culture.  This is more important than ever when considering cyber threats, as the weakest link will become the point of attack.

Get on the Train
We have fire drills and other emergency training sessions that give our team a heads up on how to react in such a situation, but do you take the same precaution when it comes to cybersecurity? Probably not. We need to change that. Look for ways that are engaging and create team building. You can have contests for security awards, ongoing tallies of scores that unify internal divisions to succeed and band together. Individuals can be nominated and rewarded for reinforcing behavior or actions. Regardless of the method you use, make it fun.

Security awareness is as essential to the success and growth of your company as good leadership and solid decision making are. You cannot avoid facing the risk it poses in today’s business environment. What makes it different, is acknowledging that leadership is not solely responsible for taking on the burden it brings to a business. It is a company-wide risk that leadership needs to acknowledge and ensure that everyone knows their value within both the company and avoiding a cyber crime.

Yesterday we hosted a Cybersecurity Awareness Webinar focused on explaining some of the key impacts to SMBs in plain English. 

Here are some of the key take-aways.

We asked listeners to think about how they secure their own homes from outside threats.  Everyone has doors and windows, to keep people out.  People may have dead-bolt locks, security systems, motion sensors, video cameras, a fence, a big dog, etc.   You get the picture.  It's not just ONE thing that you do for security, it's the combination of a lot things put together that help keep you secure.  Also, different people will have a different level of protection needed to feel safe - everyone has a different level of risk tolerance. 

Now imagine a major crime wave hits your town and your neighborhood.  Imagine that several of your neighbors have had home break-ins.  At this point, most people would wisely reconsider ALL their security options, and strengthen each of the layers of protection and add a few more.  Are ALL your windows locked?  Does your family know what to do when an intruder rings the door bell?  Do you have motion sensors?  Is your alarm system up to date and connected to the police department?   Basically, to retain your level of safety, you must respond with more security protection to address the increased threat.

The same scenario is happening in Cybersecurity.  Cyber crime is now larger than all other forms of organized crime.  We've all seen the headlines, but in a way this has led to "cyber fatigue".  Too many SMBs think that when they hear that Marriott or Yahoo has had breach, they are relieved that they're not a big company and hence not a target.  This is NOT how it works.  Threats are automated and half of all threats hit SMBs.  Smaller events don't make national news, but they're happening everywhere.  In our line of work, we sadly hear about a lot of the local events.

We're advising all SMBs in our community to be very clear about what protection you have and what protection you don’t have, so you can make informed decisions about your security gaps and risk tolerance.

By thoroughly understanding the options, each business can make an informed decision about the level of acceptable risk.  Know your security gaps BEFORE disaster hits.

With an greatly increased threat level, the security basics such as antivirus and security patches just aren't enough any more.  After disaster strikes there isn't much you can do but there's plenty to do ahead of time to prepare, so get started!  We hear from too many people who say "I'll just pay the ransom" or "I have insurance so I'm all set".  Think this through now, and get a better plan!

There’s no such thing as 100% security, but the more layers of protection you have, the safer you are against data loss, breaches, and downtime.  The cyber threat level has increased dramatically over the past few years, and to even maintain the same level of risk, you'll need to increase security.  

Are you still running Windows 7 or Server 2008 in your office?   Microsoft will be ending support for Windows 7 and Server 2008 on January 14, 2020. Microsoft made a commitment to provide 10 years of product support for Windows 7 when it was released on October 22, 2009. When this 10-year period ends, Microsoft will discontinue Windows 7 support so that they can focus their investment on supporting newer technologies.

This is a standard part of the Microsoft product life cycle. After January 14, 2020 technical assistance and automatic updates that help protect your PC and Server will no longer be made available for these products. Your systems will no longer have security protection and will be out of compliance for all major security compliance requirements (MA Data Security Law, HIPAA, etc), so it’s extremely important to be aware of this deadline and start the planning process now.

For everyone on a managed service plan with Ekaru, the operating system report is included in your monthly report, so that’s a good starting point to look at which systems will be affected.  Many newer systems can be upgraded in place and you don’t need new hardware. Older systems will need to be fully replaced.

As a general rule, if the system is relatively new you can upgrade the operating system in place, so your cost is just the license cost for Windows 10 and a small amount of labor.   Our general guideline is that a system less than 3 years old, that has i5 Processor (or better) and solid state drive would fine to upgrade in place.   For an older system that has light usage needs it may also make sense to just upgrade the operating system in place.   Older systems should just be replaced.   In business, after a system is five years old, it's time to replace in general.   There's not point in putting more money into an old system, and your business will be held back by the slower performance of an older system. 

Note that in the early days of the release of Windows 10, many systems were sold as Windows 10 systems, with "downgrade rights" to Windows 7, so you may be lucky and already have a Windows 10 license.  Typically we would start the upgrade and then if a new license key doesn't need to be activated, you will be all set.  In our experience, we can typically tell in advance from the Serial Number, but it hasn't been 100%.

Other cost factors to consider are your Microsoft Office licenses and other line of business applications you may have that can't be transferred to a new system, or won't run on Windows 10 (Office will be fine, but some line of business applications may not).  We want to work with you on planning to help minimize surprises.  You may need to run older applications in "compatibility mode".  An "OEM" license for Microsoft Office can never be transferred to a new system, so you would need to purchase a new license, or consider moving to Office 365, and we we would advise you to factor in this cost to the process.  Also, note that we can now provide hardware on monthly subscription basis, so this may be a fit for many businesses. 

All of these factors are why it's not always just a simple answer as to upgrade in place or replace.   

Sometimes there are activation issues with Microsoft licenses, so we generally plan on a window of two hours to do an upgrade in place.  Typically the upgrades are much faster than this, but if there are license activation issues and we need to contact Microsoft, it may take longer.  

For Server 2008, the system will need to be replaced, or it may be time to consider moving the the cloud.  

We’re advising everyone in our community to have a Windows 7 / Server 2008 end-of-life plan in place by June 15.  

Last week, Ekaru hosted a Cybersecurity Awareness Training session at the Cameron Senior Center in Westford, MA.  It's part of our mission to raise cybersecurity awareness for EVERYONE.  

Everyone needs to know how to stay protected in today's environment, and it's important to know what protections need to be in place for the people who you work with who are trusted with protecting your information.

The presentation covered the current state of the cybersecurity landscape, and offered some practical tips to spot the most common scams.

The world has changed a lot over the past years, and so much of our lives are conducted on line through banking, health records, social media, and more.  By now, everyone knows the Cybersecurity Basics:

• Protect your computer with Antivirus Software
• Keep your security patches up to date
• Use STRONG passwords
• Backup your data

The thing is, the bad actors know this too and they’ve developed some new tricks using social engineering to trick you into divulging your personal information or bypassing your security.  Cyber-crime is now bigger than all other forms of organized crime, and its important to know how you can protect yourself.

The rise of cryptocurrency has allowed criminals to collect money anonymously, and this has led to an explosive growth in cyber-crime.  With basic protections in place by most users, email has become one of the most common attack vectors.

Ransomware, which is a type of malicious software designed to block access to a computer until a sum of money is paid is one of the most damaging threats.  You may think that your data wouldn’t be worth much to a criminal, but that’s not what matters.  How much is your data worth to you?  Typically, Ransomware is spread through email, so watch carefully for messages that contain links for documents, and keep in mind that the bad actors have many tricky tools to use to trick you into opening that message.

Phishing is a type of online scam where criminals send an email that appears to be from a legitimate company and ask you to provide sensitive information or payment.

There are three common types of phishing scams:    Brand impersonation, Business eMail Compromise (BEC) Scam, and Blackmail

In a Brand Impersonation email, you may get a fake message from Microsoft to update your password, or a fake email regarding a FedEx Delivery.  Amazon, LinkedIn, UPS, and Bank of America are commonly impersonated brands.

In a Business eMail Compromise Scam, you may get an email that looks like its from a trusted source like boss, attorney, or friend, but it’s not!  Beware that many people have lost money in fake wire transfer scams through email.  If you’re buying or selling a home watch out for any last-minute bank changes.  People have lost their homes over this! 

Losses due to BEC (Business Email Compromise) scams have doubled in 2018, compared to 2017 figures, and have reached a whopping $1.3 Billion, according to the yearly FBI internet crime report.

Blackmail emails will contain threatening language and ask for a payment to prevent further harm.  They can be very detailed and scary, but they are just mass-marketed threats. 

Things to watch for:  Watch out for a sense of urgency in the email, names that may be slightly off, and other threats.  Be extra careful opening attachments or clicking on links. 

Trust your gut, and call the company directly to speak to someone who can verify the request.  Don’t reply to the email and don’t call any numbers listed in the email.

Stay safe on line and Think Before you Click!

A screenshot is an image of whatever's on your screen.  Simply pressing the PrtSc button will save the image of your screen to your clipboard.  If you then go into a document or email, you can hit "paste", or Ctrl+V to insert the image.  Pretty simple!  This is a great short cut when you need to show someone something on your screen or perhaps provide instructions to someone.

Here's a few additional twists on this simple tool:

Save Your Screenshot as a File

Hit the "Windows button" plus PrtSc and you can save the image file to your pictures folder.  The Windows button is near the lower left hand corner of your keyboard - it looks like a square of four squares.  This is a great time saver if you need to collect a lot of screen shots and want to save them for later use.

Take a Screenshot of Part of Your Screen

If you just want to take a screen shot of part of your screen, you can do so by selecting the Windows Key plus the Shift Key plus "s" and this will gray out your screen and allow you to select the region you want to take a screenshot of by dragging your cursor.

Take a Screenshot of Just One Window

If you have a lot of open windows and just want a screenshot of the active window, hit the "Alt" key plus PrtSc.  

Often when we're working with users to troubleshoot a problem we'll ask for a screenshot to see what the error message is.  These shortcuts are also helpful whenever you're creating a document such as instruction steps from your computer.