Designing A Comprehensive Security Plan For Your Company

After years of being in the industry and watching the evolution of cyberattacks, we feel that there are 13 critical pieces to any cybersecurity plan that we, as your managed service provider, should implement. They are:

Two-factor/Multi-factor authentication

Two-factor authentication is probably the most widely misunderstood security solution, but a critical and effective part of every cybersecurity strategy.

Two-factor authentication is just how it sounds: two separate layers of security. The first is a typical username and password log-in with the addition of a secondary level that looks for something you know, something you have, or something on your body (e.g., fingerprint).

Here are some stats you should know that describe the critical need for two-factor authentication:

  • 90% of passwords can be cracked in less than six hours.
  • Two-thirds of people use the same password everywhere.
  • Sophisticated cyberattackers have the power to test billions of passwords every second.

This sobering reality is why we require two-factor or multi-factor authentication for all of our employees and users of our system, and we highly recommend that you do too.

Password management

The main reason people use the same password everywhere is because it’s impossible to keep track of hundreds of usernames and passwords across various devices and systems.

A secure password is a unique, hard-to-guess one, so it’s understandable why users resort to the use of the same password for each site. This is why we have a password management program built into our procedures. The password manager program generates unique, complex passwords for each site or program then securely stores them in the management program.

When one of our staff needs credentials, they use the master password to open their database of passwords and obtain the login information they need, making it easy to “remember” a complex password and significantly reduce the risk of a breach.

Security risk assessment

A security risk assessment involves reviewing your technology and how you use it, followed by the implementation of security improvements and preventive measures.

The assessment should be performed at a minimum of one time per year, if not more. A full security assessment includes the following pieces:

Identification – When performing a security risk assessment, we first need to take inventory of all of your critical information technology equipment, then determine what sensitive data is created, stored, or transmitted through these devices and create a risk profile for each.

Assessment – This step takes identification to the next level. To complete the assessment step, we need to identify the security risks to each critical asset and determine the most effective and efficient way to allocate time and resources to mitigation.

Mitigation – This is where we solve problems. We have specifically defined a mitigation approach for each potential risk in our network and what security controls will be initiated in case of a breach.

Prevention – We have specific tools and processes to minimize the risk of threats against us and our network in order to help keep you safe.

Information security plan

There is a significant need to safeguard any information that is collected, transmitted, used, and stored within information systems, so the development of an information security plan is crucial. We take this very seriously. We have taken steps to document a plan and designed systems to secure our and our clients’ sensitive business data.

A security program is essentially about risk management, including identifying, quantifying and mitigating risks to computers and data. There are some essential basic steps to risk management:

Identify the Assets – Beyond generating a list of all the hardware and software within the infrastructure, assets also include any data that is processed and stored on these devices.

Assign value – Every asset, including data, has a value and there are two approaches that can be taken to develop the value: qualitative and quantitative. “Quantitative” assigns a financial value to each asset and compares it to the cost of the counter-measure.  “Qualitative” places the threats and security measures of the assets and sets a rank by use of a scoring system.

Identify risks and threats to each asset – Threats to the system go beyond malicious actors attempting to access your data and extend to any event that has the potential to harm the asset. Events like lightning strikes, tornados, hurricanes, floods, human error, or terrorist attacks should also be examined as potential risks.

Estimate potential loss and frequency of attack of those assets – This step depends on the location of the asset. For those operating in the Midwest, the risk of a hurricane causing damage is extremely low while the risk of a tornado would be high.

Recommend countermeasures or other remedial activities – By the end of the above steps, the items that need improvement should become fairly obvious. At this point, you can develop security policies and procedures.

Policies and procedures (internal & external) – A crucial part of an effective cybersecurity plan is the policies and procedures, both for internal assets and external assets. You can’t have one without the other. A general description can be thought of as this: a policy is the “rule” and a procedure is the “how.” With this in mind, a policy would be to effectively secure corporate data with strong passwords. The procedure would be to use multi-factor authentication.

Cybersecurity insurance and data breach financial liability – CyberInsureOne defines cybersecurity insurance as “a product that is offered to individuals and businesses in order to protect them from the effects and consequences of online attacks.”

Cybersecurity insurance can help your business recover in the event of a cyberattack, providing such services as public relations support and funds to draw against to cover any financial losses. It’s something that your MSP should carry as well as your own business.

And just like business liability and auto liability insurance, it is paramount that your business (as well as your MSP) covers themselves with data breach financial liability insurance to cover any event that may be attributed to their activities causing a breach.

Data access management – Access management is determining who is and who isn’t allowed access to certain assets and information, such as administrative accounts.

This is critical for your business as it enables control over who has access to your corporate data, especially during times of employee turnover. Other benefits include increased regulatory compliance, reduced operating costs, and reduced information security risks.

Security awareness training (with phishing training) – Phishing is the number one attack vector today with over 90,000 new attacks launched every month. If your provider is not actively participating in security and phishing awareness training, they will be unable to keep you up on the latest trends in how these malicious actors are attempting to gain access to your businesses data.

Data encryption – At its basic level, data encryption translates data into a different form, making it readable only by the starting and ending points and only with the appropriate password. Encryption is currently considered one of the most effective security measures in use as it is nearly impossible for an outside force to crack.

Next Gen antivirus and firewall – Antivirus is software designed to detect and neutralize any infection that does attempt to access the device and should be on every endpoint.

Many providers are marketing their software as “next generation,” but true next generation antivirus includes features such as exploit techniques (blocking a process that is exploiting or using a typical method of bypassing a normal operation), application whitelisting (a process for validating and controlling everything a program is allowed to do), micro-virtualization (blocks direct execution of a process, essentially operating the program in its own virtual operating system), artificial intelligence (blocking or detecting viruses the same way as a human user could), and EDR/Forensics (using a large data set from endpoint logs, packets, and processes to find out what happened after the fact).

Next generation firewalls also include additional capabilities above the traditional firewall, including intrusion protection, deep packet inspection, SSL-Encrypted traffic termination, and sandboxing.

Business continuity plan – This is a process surrounding the development of a system to manage prevention and recovery from potential threats to a business. A solid business continuity plan includes the following:

  • Policy, purpose, and scope
  • Goals
  • Assumptions
  • Key roles responsibilities
  • A business impact analysis
  • Plans for risk mitigation
  • Data and storage requirements that are offsite
  • Business recovery strategies
  • Alternate operating plans
  • Evaluation of outside vendors’ readiness
  • Response and plan activation
  • Communication plan
  • Drills and practice sessions
  • Regular re-evaluation of the current plan

Your MSP should be able to provide you with a copy of what is included in their plan and how it will affect your business if they do encounter a business continuity event, as well as their backup plan to maintain your critical business infrastructure.

Email security layers – In short, layers limit risk. Email security layers include tactics such as two-factor authentication and spam filters at the basic level (which give your employees time to evaluate a potential threat by removing the words “urgent” or “do right now” from internal subject lines).

As your managed service provider, we are dedicated to helping you maintain effective cybersecurity through these advanced tactics, as well as through a consultative, trusted advisor relationship. You are more than just a number to us and we will do everything in our power to help keep your business safe and running smoothly.

What Are The Newest Phishing Attacks?

Thomas Fox is president of Tech Experts, southeast Michigan’s leading small business computer support company.

Phishing is a term adapted from the word “fishing.” When we go fishing, we put a line in the water with bait on it, and we sit back and wait for the fish to come along and take the bait. Maybe the fish was hungry. Perhaps it just wasn’t paying attention. At any rate, eventually a fish will bite, and you’ll have something delicious for dinner.

How Does Phishing Work?
This is essentially how cyber phishing works. Cybercriminals create an interesting email, maybe saying that you’ve won a $100 gift certificate from Amazon. Sound too good to be true? Find out! All you have to do is click the link and take a short survey.

Once you click the link, a virus is downloaded onto your system. Sometimes it’s malware, and sometimes it’s ransomware. Malware includes Trojans, worms, spyware, and adware. These malicious programs each have different goals, but all are destructive and aimed at harming your computers. [Read more…]

Four Questions Every CEO Needs To Ask About Cybersecurity

Leaders in every organization need to make identifying and addressing their cybersecurity needs a top priority. You can begin by starting a conversation between your IT service company and employees at all levels of your company about information security and how best to protect sensitive data, but you need to know the right questions to ask. Here are four questions to ask to get the discussion started and moving in the right direction.

How informed is your team about the vulnerability to and potential impact of cyber attacks on your company?

It’s important to assess the current awareness of everyone in your business about cyber threats and the potential damage from data breaches. It’s likely that everyone has heard of the many well-publicized breaches that have occurred over the last several years, but possibly haven’t considered them within the context of your company.

This is the first step to developing an educational initiative to get everyone up to speed on the problem and identifying the at-risk areas in your system. After that, you can begin to develop a chain of communication to take immediate action in case of a breach and set protocols and expectations for response times. A fast and effective response is critical to limiting data exposure.

What are the specific risks to your infrastructure and what are the best steps to take to address them?

Remember that the threat isn’t limited to just hackers. Many breaches occur because employees click on a link in a phishing email, leave a password lying around where it’s easily seen, or by unknowingly becoming a victim of a social engineering scam by giving it to someone over the phone who is impersonating a company employee.

Then you can begin to identify the resources needed to protect your data, including third-party security software and updated equipment. Simply informing your employees of the threat of such low-tech risks can greatly increase your cybersecurity.

How many security incidents are detected in your systems in a normal month or week, what type are they, and how were others informed about them?

You should have a system in place to detect, monitor, analyze, and record any type of potential security incident no matter how small or seemingly insignificant, and disseminate that information to the appropriate personnel, or perhaps to all employees to raise awareness. You should discuss enhanced alerting and monitoring with your IT professionals.

Does your company have an incident response plan? How effective is it, and how often do you test it?

The only way you can quickly react to prevent or limit the damage from a breach is to have a clearly defined response plan in place. It should document how everyone in your company should react in the event of an emergency. This plan should be available to all employees. It should be tested on a regular basis, at least once each quarter, and updated whenever significant changes are made to your IT infrastructure.

Cyberattacks are just a fact of life these days, and that’s not going to change anytime soon. But by asking your team the right questions, starting a dialogue about how to address the threat, raising awareness and implementing training, and having a response plan in place, although you’ll never completely eliminate them, you can reduce your risks significantly.

What Are The Top Cybersecurity Trends For 2019?

Thomas Fox is president of Tech Experts, southeast Michigan’s leading small business computer support company.

Several events in 2018 brought cybersecurity to the forefront of public consciousness, as major sectors– from financial institutions to Facebook– were affected by cybercrime.

According to Forbes, 34 percent of US consumers had their personal information compromised in 2018. Security experts and business leaders are constantly looking for ways to keep two steps ahead of hackers.

Cybersecurity trends for 2019 are a popular topic. Here is what’s anticipated this year in the cybersecurity realm.

Tougher regulations
As digital capabilities are rapidly gaining a worldwide foothold, data is becoming our most highly-valued commodity. [Read more…]

October Is National Cybersecurity Awareness Month

Thomas Fox is president of Tech Experts, southeast Michigan’s leading small business computer support company.

Online security is something that should get everyone’s attention. Threats exist all around us: ransomware, viruses, spyware, social engineering attacks and more. There’s so much you need to know to keep your personal and business information safe.

But where do you start?

As trusted cybersecurity professionals, we want to help you get educated and stay informed.

That’s why during National Cybersecurity Awareness Month our goal is to give you all the information you need to stay secure.

How can we help? We’ll be sharing valuable and timely information on cybersecurity in blogs, in our newsletter, and on all of your favorite social media sites. [Read more…]

Cyber Security: How Safe Are You?

Jason Cooley is Support Services Manager for Tech Experts.

In 2017, Equifax, one of the largest credit bureaus in the US, suffered a data breach that exposed the names, Social Security numbers, date of birth, and some driver’s license numbers for 143 million people. An additional 209,000 people also had their credit card information exposed.

The attack was discovered on July 29th, but according to Equifax, the breach began sometime in May.

Let that sink in. One of the companies that rates credit scores and stores tons of financial information, had their data stolen for months.

Some would think that the larger the company (especially with sensitive data), the better the security. That isn’t always how it works out.

eBay, the online giant, is not immune. In 2014, 145 million user accounts were compromised.

The list goes on, and it contains some pretty big names. Target (2013), JP Morgan Chase (2014), The Home Depot, VeriSign, and even Sony’s Playstation Network (2011) have all suffered at the hands of hackers.

Don’t panic just yet, though. There are many things to consider when it comes to data security. From businesses to your personal data at home, we all obviously want to keep our private information private. While there is no foolproof way to keep yourself safe, there are some things that you should know.

 This isn’t a movie.

The Hollywood portrayal of hackers is over-the-top for many reasons. Having one person just sitting around and deciding, “Well, I think I will hack the government or this bank,” isn’t a realistic vision of reality. Most of these data breaches come due to an unknown security vulnerability. Then groups of people will try to exploit this vulnerability.

There are different needs for everyone.

While cyber security can affect everyone, you shouldn’t be overly afraid as an everyday consumer. Most well-known websites are secure and checking out with personal information is often doubled down with extra security.

Still, if you are uncomfortable, use a wallet site, such as Paypal. More and more websites offer these types of payment options, putting down yet another layer of safety to keep your financial information safe.

What about my business?

 That greatly depends on what kind of business you have. If you have a convenience store, there’s a pretty good chance your credit card processing is the only issue with data you’d ever have. Since this is typically handled by a vendor, you don’t have nearly as much to worry about.

Now, if your company stores any sensitive data (especially the personal information of others), you are going to need to step up the security.

How much do you have to lose?

 This isn’t a trick question. Really, how much do you have to lose? Financial information? Client information? As bad as it is to have your data compromised, if you run a business that deals with any sensitive customer or client information, you should not only be careful, but you should be protected.

A managed service provider, like Tech Experts, can help maintain your network and data security. This may include firewalls, blocking specific websites, and running routine checks of the security. Sensitive data, like data that can be used in identity theft, should be protected proactively. You can’t save it once it’s been taken.

Beware: Online Banking Phishing Schemes Are On the Rise

Banking online is a convenient and time saving way of managing and keeping track of your company’s finances.

Weak security practices, though, can make it more possible for cyber-thieves and hackers to steal your hard-earned money. It is important to make sure that all possible steps are taken to safeguard your company’s finances.

Online banking is a tool that many businesses utilize because of the ease, efficiency, and convenience it offers.

It’s a great way to manage finances in your day-to-day operations. Unforunately, as more businesses turn to online banking, cyberthieves and hackers who target small companies are becoming more adept at stealing from companies online.

Security experts are urging companies to beef up their security systems to keep them safe from cyber and identity theft.

The more companies rely on the Internet, especially when it comes to managing finances through online banking, the more prudent it is to take steps to prevent that hardearned money from being stolen or diverted to someone else’s account.

One tip experts give is to establish proper protocols for transacting with the bank, such as requiring two people to verify a transaction before it is approved.

This helps create a checks-and-balance system that hackers can’t bypass.

Having a dedicated workstation used for only online financial transactions is also recommended, as this lessens the likelihood of it being infiltrated by Trojans, viruses, spyware, and other malware that may come from the machine being used for other purposes.

Having the right anti-virus and antimalware software – and keeping it updated – also goes a long way in keeping your online banking transactions safe from unfriendly eyes.

Your finances are the lifeblood of your business. If you’re interested in how you can make your online banking experience more safe and secure, we’d be happy to sit down with you to discuss security solutions that are tailor-fit to your specific requirements and needs.

Give us a call at the office, (734) 457-5001.