Cybersecurity: 5 Easy Tips to Keep Your Business Safe

Cyberattacks do not happen in a vacuum; many variables come into play at every turn. It is critical to combat threats with a steady, ongoing campaign to ensure you’re never caught with your guard down.

Another year, another run of cyberattacks.

Advancements in technology are occurring at an increasingly dizzying pace. New technologies emerge to join the ranks alongside ‘new and improved’ functionalities of existing ones. And all the while, increased adoption of these technologies has led to an exponential growth of data breaches.

Verizon’s 2018 Data Breach Investigations Report listed nearly 2,200 data breaches and more than 53,000 total cybersecurity incidents reported from 65 countries from April 2017 to March 2018—an average of six breaches and 145-plus incidents every day. However, this next statistic puts the issue into perspective whether you’re reading this in your office, sitting in a traffic jam, on a plane, or at home with your family. Look to your left and see one person. Then look to your right and see two others. By the law of averages, one of those three people experienced a compromise of their personal information in the U.S. within the past year.

The problem is real, the problem is persistent, and it gains momentum the more technology becomes intertwined with the fabric of our everyday lives.

The ever-growing trend of data breaches is in full force as several high-profile cyberattacks have crippled networks across the world. One instance that hit close to home here in Northeast Ohio: A malware attack installed on City of Akron servers resulted in a disruption of the city’s 3-1-1 information line, with a ransom demand in exchange for its unlocking.

All organizations at some point will have to deal with a cybersecurity incident that can cause business disruption, lost productivity, lost data and lost money (the Ponemon Institute’s 2017 Cost of Data Breach Study put the average cost of a data breach at $3.6 million, with the cost-per-compromised-record at $141).

Threats come in many forms, from many directions

Cybercrime has grown into an estimated $600-billion industry worldwide. With every new functionality, feature and access port to technology comes new opportunities for cyberthieves and hackers to enter and corrupt networks. Here are the six most common types of attacks:

Attack No. 1: Hacking/malware. Malicious software including spyware, ransomware, viruses and worms

Attack No. 2: Phishing. The sending of fraudulent communications that appear to come from a reputable source, typically via email

Attack No. 3: Man-in-the-middle attacks: AKA Eavesdropping Attacks, these occur when attackers insert themselves into a two-party transaction, most commonly through unsecure public Wi-Fi networks or malware

Attack No. 4: Denial-of-Service attacks. Flooding systems, servers or networks with traffic to exhaust resources or bandwidth, leading to a fulfillment disruption of legitimate requests

Attack No. 5: Structured Query Language (SQL) injection: Occurs when an attacker inserts malicious code into a server that uses SQL and forces it to reveal proprietary information

Attack No. 6: Zero-day exploit: Hits after a network vulnerability is announced but before a solution is implemented

How can you stay safe?

Want to learn how you can take steps to protect your data from cyberthreats? Here are five quick but helpful tips to keep your IT safe.

Cyber-security tip No. 1: Implement a cybersecurity training program

In its survey of over 1,000 small business owners and C-level executives, information security company Shred-It’s 2018 State of the Industry Report found that 47% identified human error (such as unintentional loss of a device or document, leaving a device unlocked while unattended, etc.) as the catalyst of a cybersecurity breach at their organization. This evidence clearly indicates a disconnect between where employees currently sit in their grasp of secure technology practices and where they should be.

Make it a priority to integrate a cybersecurity awareness and training program into your organization processes. Some ideas for protocol implementation include:

  • Creating a policy about the use of personal email accounts and social media platforms on work devices;
  • holding quarterly training seminars for recognizing threat indicators, app installs and updates, and Virtual Private Network setup and usage when working remotely;
  • making any training programs a core part of your onboarding program for new employees;
  • bringing in guest cybersecurity speakers and instructors for lunch & learns; and
  • scheduling regular data access audits to ensure that the right employees have appropriate access to information, and that ex-employees don’t have access.

Cyber-security tip No. 2: Get a firewall solution that protects your entire network

When evaluating your firewall product, there are many questions to consider, especially:

  • How effectively does your firewall monitor your network’s incoming and outgoing traffic?
  • How well does it prevent viruses and other threatening intrusions?
  • Does your firewall properly manage bandwidth so that your network can operate at peak performance?
  • Does its identity and access management protocols consistently weed the bad users out?

Your network’s firewall is the dataflow and coverage epicenter of your IT. It needs constant monitoring to ensure that your entire network is both efficient and secure against advanced threats. Cyber-attackers are getting smarter every day, and your firewall needs to have every network entry point protected.

Cyber-security tip No. 3: Make sure your employees are protected, regardless of where they’re located or connecting

There has been a shift in workplace dynamics from only office headquarters to a structure involving multiple satellite/home locations, employees with non-traditional hours, and more mobile and remote workspaces—all requiring real-time connectivity on a multitude of devices. Protecting your information everywhere your employees go on your network becomes exponentially more difficult when they’re connecting in myriad places, on an increasing number of devices. Will your cybersecurity setup protect against a data intrusion over an unsecured Wi-Fi network at the local coffee shop? At an an airport gate? In an employee’s hotel room while traveling on business? While answering emails at their child’s soccer practice?

Not knowing the answers to these questions leaves a huge gap in your cyber-defense and creates opportunities for breachers to leverage a singular entrypoint to create havoc for your entire organization.

Cyber-security tip No. 4: Be more diligent in conducting ongoing internal threat tests

Regular phishing simulation tests are a turnkey way to test the effectiveness and recognition of phishing attempts. Such attempts—which are becoming more sophisticated, especially with the explosion of social media platforms—can be successfully stifled using a variety of approaches.

Additionally, penetration tests—commonly referred to as ‘pen’ tests—should be a dedicated part of your company’s continuing cybersecurity plan. A planned simulated attack on a system using the same tools and techniques that a cyberthief would, it reveals the strengths and vulnerability points in a cyberdefense plan. Such tests should be performed at least quarterly to maintain optimal security levels. The Payment Card Industry Data Security Standard mandates a regular testing schedule, including immediately after any system changes or upgrades.

Cyber-security tip No. 5: Consider using single sign-on or multi-factor authentication to buoy password security

LinkedIn’s 2012 data breach, which resulted in nearly 7 million encrypted passwords posted to a Russian crime site, yielded some interesting insights. Among them, more than one in three passwords were classified as ‘weak’ (easily guessed ones ‘123456’ and ‘password’ are still routinely among the most commonly used; a recycled one; one that can easily be decoded; etc.).

Look into the advantages of Single Sign-On (SSO) and Multi-Factor Authentication (MFA) resources, which exist for this express purpose. SSOs leverage other trusted sites to verify users’ identities, then allows them access with a single ID and password (which, because they are verified by other trusted sites, are not held in that site’s database). MFAs grant the user access to a network only after successfully presenting two (or more) pieces of evidence from among:

  • Something they know (i.e. a password).
  • Something they have (i.e. an access card, chip, etc.).
  • Something they are (i.e. fingerprint, voice, etc.).

A golfer and gamer in his free time, Frank Keogh is also a 15-year IT and cybersecurity expert who is a highly-certified Senior Systems Engineer for TEC Communications.

TEC Communications is a Cleveland-based Cisco Premier Certified Partner—in fact, the first Cisco technology partner in Northern Ohio—and trusted IT solutions provider celebrating its 40th Anniversary in 2019. Cisco’s solutions give employees top-level protection regardless of where they’re located or connecting, and TEC can help train your employees to identify cyberthreats that attempt to access your network via their endpoints. Go to https://tec4it.com or call us at 440.333.5903 to find out how TEC Communications can help you identify, combat and prevent attacks on your sensitive data.

Share
  • Email
  • Next up: Data Disaster: 5 Backup Blunders to Avoid
  • More in Operations
  • Data Disaster: 5 Backup Blunders to Avoid

    Your business is just one disaster away from losing all of its data. The key to mitigating this damage is to have a backup recovery plan—but don’t make these five mistakes when you put your plan together.

    At some point and at some level, your organization will experience a data disaster. When that happens, backup and recovery are two necessities you don’t want to have trouble with. However, mistakes do happen. Keep reading to learn more about the importance of data backup and disaster recovery and what mistakes to avoid to experience business continuity after a disaster.

    Malware, loss of power, a crashed server, fire or a disgruntled employee are all reasons you could face a data recovery situation. When that time comes, you will want to make sure you have a fool-proof disaster recovery plan in place.

    Think about it. Are you prepared to handle a disaster? Sure, you think you have it all covered. After all, what are those daily backups for? However, when it comes to restoring your data the trouble can come with how quickly and efficiently you can make it happen. Every minute of downtime could cost you another dollar.

    Many organizations are turned away by the time intensive nature of disaster recovery planning. When a disaster strikes, though, only a properly implemented backup and disaster recovery plan will keep your business afloat.

    Still not convinced. Well, consider that the Federal Emergency Management Agency states that 40% of businesses do not open after a disaster and another 25% will fail within a year.

    Here are a few other statistics about data breaches:

         • A total of 90% of all businesses have suffered a cyber attack.

         • The industry average breach goes undetected for more than eight months.

         • The average organization experiences 1,400 attempts to their network every week.

    Further, ransomware payments in 2016 hit $1 billion, which is up from 2015 payments of $24 million.

         • RELATED: Learn more about surviving a ransomware attack https://youtu.be/ovwqRqo_VLk

    Unfortunately, the statistics are not in our favor. It’s important to ensure you have your bases covered when it comes to your organizational disaster recovery plan. Here are some of the most common backup and recovery mistakes enterprises make- and how to avoid them.

    Mistake No. 1: Going it alone

    The responsibility of creating a disaster recovery strategy may fall on the IT department, but it can not fall on them alone. Recovery is an enterprise-wide responsibility that should include users, leaders, financial managers, partners and legal experts. They can help define what common types of disasters to plan for and which applications/data is mission critical. Managed Service Providers can help create, test and implement recovery plans to properly protect business resources. They can help you, along with other members of your organization, prepare for all disaster types from hardware or system malfunctions to human errors.

    Mistake No. 2: Overlooking the people part

    Disaster recovery is heavily involved in IT equipment and data, but it must also account for your physical locations, power supplies, communications and people. Don’t forget to think of things such as offsite locations for employees to work and what they will need to continue operations in case of an emergency. Don’t forget to document your plan in detail and educate your employees on these steps. If your employees are properly educated on the steps to take during and after a disaster, you can get your business up and running quickly and efficiently.

    Mistake No. 3: Not testing for all scenarios

    The next step after establishing your disaster recovery plan is to test. And test regularly under what-if scenarios. If you can’t be confident in your plan under normal conditions, you won’t be comfortable under extreme pressure. Assess your levels of tolerance with each different disaster scenario. While doing this, create a clear recovery point objective (RPO) that will determine your tolerance for lost data. As well as your recovery time objective (RTO) which will outline how much downtime you can afford in minutes, hours and days. The answers to these will vary for different industries and organizations. One thing to keep in mind, the lower the tolerance the higher the cost. Conducting tests can help you identify and mitigate weaknesses while building confidence in your plan.

    Mistake No. 4: Have a backup plan for your backup plan

    What if something goes wrong to your backup plan? Have a backup plan for your backup plan. No disaster recovery plan is fool-proof. Continuously bolster yours by confiding in a managed service provider that builds robust redundancy at secure, off-site locations. At our organization, Netserve365, we have partnered with Iron Mountain, a concurrently maintainable Tier-III designed, 220-feet underground, data center located in the Greater Pittsburgh Area. Data that is backed up is stored locally and is replicated to the Iron Mountain Data Center. If your original backup site fails or files become corrupted, you’ll have a secure and reliable data set to pull from.

    Mistake No. 5: Data recovery is a onetime deal

    As business naturally evolves and changes are made, it makes sense your disaster recovery plan must change to align properly. Revisit and update your plan several times a year, as well as whenever big changes are made. Once these updates are implemented, retest your plan to make sure everything is working smoothly.

    While there may never be a completely fool-proof backup and recovery plan, you can definitely create an effective plan that will get you through tough times. With careful planning, regular testing and consistent updates, your plan can withstand whatever comes your way.

    About NetServe365

    NetServe365 delivers a complete range of managed IT services, security services, hosting options and consulting services 24/7/365 worldwide, with our primary markets in Pennsylvania, West Virginia, Ohio and Virginia. We never stop evolving our technologies and operational efficiencies so we can deliver a customer experience and network results far superior to our competitors’. We strive to deliver on every promise, every time because we know who we work for--the partners and customers who put their trust in us. Learn more about NetServe365 here.

    Share
  • Email
  • Next up: Dealing With the Supply-And-Demand Conundrum
  • More in Operations
  • Dealing With the Supply-And-Demand Conundrum

    We’ve already talked about how pricing is going to be a major energy-related trend you’ll need to keep your eye on during 2017, but let’s dig a little deeper. What else are you going to need to be aware of? And what are some other strategies you can implement immediately to deal with the pricing challenges that might arise from these issues? We sat down with our energy partners to find out a little more about what’s impacting energy prices and what small . Here’s what they had to say …

    We’ve already talked about how pricing is going to be a major energy-related trend you’ll need to keep your eye on during 2017, but let’s dig a little deeper. What else are you going to need to be aware of? And what are some other strategies you can implement immediately to deal with the pricing challenges that might arise from these issues? We sat down with our energy partners to find out a little more about what’s impacting energy prices and what small . Here’s what they had to say ...

    Power Capacity

    One thing to watch for is an expected increase in natural gas usage for electricity generation. This will be primarily caused by new combined cycle gas power plants coming online. At the same time, we expect to see an increase in the retirement of inefficient coal generation plants and possibly nuclear plants as well. Renewables are also projected to grow at a record pace.

    In addition, a strong Marcellus and Utica gas production may help balance the supply-and-demand equation. That said, natural gas pipeline expansion could divert enough gas from the region to diminish the current gas glut. This would, in turn, put upward pressure on natural gas prices.

    What This Means For You

    So, if prices do rise, what can you and your business do to mitigate that impact and meet their energy needs in a cost-effective manner? Our energy partners suggest executing fixed-price contracts based on the recommendation of a reputable, independent consultant who has existing relationships with numerous energy suppliers.

    It bears repeating: These are complex issues and you do not want to go it alone. It’s imperative your consultant understands your goals and expectations, including but not limited to your aversion to business risk, budget certainty and green power needs, just to name a few. A reputable consultant will consider your historical usage profile as well as expected changes in your business that could trigger pricing adjustments during the contract term.

    Find a Partner

    Lucky for you, COSE’s Energy Team has numerous relationships in place with knowledgable, experienced partners who can help guide your energy strategy. For more on how our Energy Team can help your business, watch Roseann Vandevender of Marigold Catering talk about the savings she has acquired from enrolling in the COSE Natural Gas Program.

    COSE members have access to several programs designed to ensure you’re maximizing your energy. Contact us at 216-592-2205 or energy@cose.org to learn more.

    Share
  • Email
  • Next up: Did You Know that You Can Choose Who Provides Your Electricity?
  • More in Operations
  • Did You Know that You Can Choose Who Provides Your Electricity?

    Looking for the short and sweet version? Listen to our radio ad featured on WTAM-AM. There are over 100 Retail Energy Providers (REPs) certified by the Public Utilities Commission of Ohio, and each provides customers with different benefits. Whether you stay with the utility or go with a third-party supplier, your service and bill format will remain the same. The difference is in the rate you will pay, as competition between REPs can result in lower-priced offers and additional benefits for customers.

    Looking for the short and sweet version? Listen to our radio ad featured on WTAM-AM.

    Did you know that you can choose who provides your electricity?

    There are over 100 Retail Energy Providers (REPs) certified by the Public Utilities Commission of Ohio, and each provides customers with different benefits. Whether you stay with the utility or go with a third-party supplier, your service and bill format will remain the same. The difference is in the rate you will pay, as competition between REPs can result in lower-priced offers and additional benefits for customers.

    Having options is a good thing, but COSE understands that finding the right electricity provider for you can be stressful. Fortunately, we’re here to help with the COSE Energy Choice Program. Our consulting partner, OnDemand Energy, has conducted the research and interviews needed to select a smart, reputable choice for your home’s utility services.

    Now, after much consideration, we are pleased to continue to recommend residential services with Public Power LLC  to COSE members.

    A few benefits that you will enjoy with Public Power:

    - The peace of mind that comes with a fixed rate.

    - Easy, quick sign-up with no interruption in service.

    - Monthly Usage Reports.

    - Renewal Incentives, including Energy Savings Kits!

    Our team is available to answer any questions about the COSE Energy Choice Program, rates, benefits and more. Please feel free to contact us at 216-592-2205 or energy@cose.org.

    To ensure you receive COSE’s exclusive rate, please visit https://www.ppandu.com/cose.

    Share
  • Email
  • Next up: Do You Know How to Access All the Savings Under the New Federal Tax Law?
  • More in Operations
  • Do You Know How to Access All the Savings Under the New Federal Tax Law?

    Read on below for savings available to businesses under the new federal tax law that you might not have known about.

    You know that working with the GCP Energy Team to complete an assessment of your facility—can help you uncover savings of up to 20%. And you know that energy efficiency is an economic engine, supporting 2.2 million jobs nationwide in manufacturing, construction and other fields, most of which cannot be outsourced overseas.

    BUT. Did you know there’s another reason why being more energy friendly should be a high priority for you and your business this year? I’ll give you a hint. It has to do with something that’s probably been on your mind given this time of year. Give up? It’s taxes. Specifically, it’s new tax savings (Code Section 179) for building owners under the recently passed federal Tax Cuts and Jobs Act of 2017. Retroactive to Oct. 2, 2017, the Tax Act now allows for immediate expensing of certain building components and systems involved in an energy project, namely the replacement of HVAC, roof, fire suppression or security systems valued at up to $1 million.

    Prior to the new Tax Act, Section 179 expensing was not available for HVAC, roofs, fire suppression, and other structural building components.  Building owners should consult with their tax advisor if also purchasing new  machinery, vehicles, equipment, etc. The tax deduction annual cap is $1 million. The deduction is reduced dollar-for-dollar if total expenditures for all qualifying improvements and new personal property exceed $2.5 million in a tax year.

    Below is a table showing what the tax savings and after-tax cost of a $50,000 HVAC replacement project would be in 2018 under the Tax Cuts and Jobs Act of 2017 is when compared to the prior year (before the new tax law.)

    2017

    2018

    HVAC replacement

    $50,000

    $50,000

    First-year write off

    -

    $50,000

    Bonus depreciation

    -

    -

    Normal year 1 depreciation

    $641

    -

    Total year 1 deduction

    $641

    $50,000

    Cash(Tax) savings

    $250

    $14,500

    After tax cost

    $49,750

    $35,500

    As you can see, the difference between the two years is striking. This table also shows how a project that you might have initially believed was cost-prohibitive is well within your reach. Even better, in addition to the tax-related savings, such a project could reduce your building’s energy usage by 20% to 30%. That, of course, brings along its own savings in the way of lower energy bills.

    I know it sounds like a lot of moving parts here, but it’s quite simple: If you’re willing to take steps to make your building more energy efficient, there are savings waiting for you. It’s that easy.

    To make things even easier, the GCP Energy Team is more than happy to walk you through all the steps you need to take to ensure you’re saving as much money as possible. You can email the Team at energy@gcpartnership.com or contact us by phone at 216-592-2205.

    Share
  • Email
  • Next up: DocuSign Email Scam: How to Identify it and Protect Your Business
  • More in Operations
  • DocuSign Email Scam: How to Identify it and Protect Your Business

    The DocuSign email scam is causing a lot of problems out there for businesses. Here's how to identify it and take steps to safeguard your business.

    As a small business owner, it is crucial that you stay on top of all scams that could potentially target your business. While we are focusing on many of these types of specific scams in a series from the Federal Trade Commission, we wanted to draw your attention today to a phishing email scam that is on the rise.

    With this particular scam, hackers are posing as someone you know. You receive an email from a trusted source when in fact, the email is coming from the hacker. You will be asked to verify documents via email and from there the scammers capture your email address and email password to hack into your account.

    How does this scam play out?

    The following five steps outline the usual progression a hacker will most likely follow in regard to this type of scam:

    Step No. 1: You and/or members of your organization receive an email from a trusted source—someone who you have previously done business with or have corresponded with. The email states you have received documents that need to be signed or reviewed or something similar. The subject line of the body or the email will reference Docu Sign or some other document storage application.

    Step No. 2: You are asked to click on a link in order to sign in, open and view the documents.

    Step No. 3: The link opens another page and you are asked to sign in with your Microsoft account information or your email address and password.

    Step No. 4: If you click on the link and sign in, your email address and password are immediately sent to the hacker.

    Step No. 5: Once they have your email address and password, they will be able to log into your email account or spoof your email and send/receive email as if they were you. Recipients will see the incoming email coming from your address. Or, the hacker can set up your email account in their local Outlook program on their computer and send/receive email as if they were you.

    It is not unusual for the hacker to do nothing for several days. They will log in and out of your email account just to see if you have changed your password. After several days, when they see they still have access to your account, they will begin sending malicious emails to individuals in your contact list.

    We have also seen an incident where the hacker logged into a user’s account and configured email Rules on the Exchange server that diverted incoming email.

    What to do if you are targeted?

    If you receive one of these DocuSign emails or a similar type of email request, call the sender and make sure the email was actually sent by the person. If not, delete the email. DO NOT CLICK ON THE LINK OR SUPPLY YOUR EMAIL ADDRESS OR PASSWORD. If you have a situation where someone clicked through and signed in, you should change your email passwords right away.

    How can you protect your company from this type of scam?

    • Communicate with your staff on a regular basis of the potential threats out there and the steps to take against them. Make sure everyone in your company is well-versed on what to look out for when it comes to email scams. Anytime you hear of a particular scam, send an immediate notification out to everyone on your staff and any outsiders who also use your network. Security issues should not be tacked with a one-and-done approach; there should be a constant drip of information.
    • Advise all employees to verify a suspicious and unexpected email by calling the actual sender.

    Steve Giordano is president of TeamLogic IT. Learn more about the company by clicking here.


    Share
  • Email
  • More in Operations