Data Management

The Three Scariest Threats To Small Business Networks

October 27, 2015

Thomas Fox is president of Tech Experts, southeast Michigan’s leading small business computer support company.

While spam, pop-ups, and hackers are a real threat to any small business network, there are three security measures that you should be focusing on first before you do anything else.

Worry About E-mail Attachments, Not Spam
Sure, spam is annoying and wastes your time, but the real danger with spam is in the attachments.

Viruses and worms are malicious programs that are spread primarily through cleverly disguised attachments to messages that trick you (or your employees) into opening them.

Another huge threat is phishing e-mails that trick the user by appearing to be legitimate e-mails from your bank, eBay, or other financial accounts.

Here are three things you must have in place to avoid this nightmare: [Read more…] about The Three Scariest Threats To Small Business Networks

Should You Eject USB Drives Before Unplugging Them?

October 27, 2015

While it is possible in some cases to remove a USB drive without using the eject option and not cause harm, you should always eject a drive before removing it from your PC’s USB port to be on the safe side.

Some USB drive users thought this was only necessary with Linux and Mac because the dialog to eject a device is so prominent, and Windows doesn’t make it as clear to safely eject a USB drive.

It is, however, possible to accidentally lose or corrupt the data on the thumb drive even when using Windows.

The information stored on USB drives can become corrupt when the device is pulled out because most operating systems employ something called write caching, a fancy way of describing how Windows sometimes saves tasks to do all at once in order to be efficient.

When a computer user initiates the proper ejection process, it tells the OS to complete all those tasks first before it’s safe to remove the drive from the USB port.

Windows handles removable drives a little differently than Mac and Linux, which is perhaps why the way to safely eject USB drives isn’t as easy to find.

Often, Windows doesn’t recognize or categorize these drives as removable, and this actually makes proper ejection even more important. When a removable drive is identified as a non-removable one, Windows automatically uses write caching.

This means that any data associated with a saved task can be lost in the event that a user pulls the drive out without first clicking the “Safely Remove Hardware” option in the system tray.

For Pete’s Sake, Back Up Your Data Folks!

July 27, 2015

I’ve been supporting small business computers and network systems for more than 25 years, and believe me when I say, the number one thing that still boggles my mind is the lack of sound backup systems and procedures.

It is a topic we cover a lot in our newsletters, and for good reason: Not a month goes by where we aren’t witness to some sort of catastrophic file loss or system/server failure.

If you’ve ever lost an hour of work on your PC because it locked up in the middle of writing a proposal, you know the grief it causes. Now imagine if you lost days or weeks of work – or imagine losing your client database, financial records, and all of the work files your company has ever produced or compiled.

Or what if a major storm, flood, or fire destroyed your office and all of your files? It’s raining as I write this, perhaps the twentieth day of rain in the last 30, and we’re under a flood watch yet again. [Read more…] about For Pete’s Sake, Back Up Your Data Folks!

The Basics Of HIPAA Compliance

June 30, 2015

Michael Menor is Vice President of Support Services for Tech Experts.

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is federal legislation that created national standards to protect the privacy of patients’ medical records (including electronic records) and other personal health information.

The legislation makes organizations and individuals who collect and manage personal healthcare data legally liable for its security, including health care providers, health plans, health clearinghouses and business associated with any of these. Consequences of negligence and misuse of private information can include civil and criminal penalties.

As a result of HIPAA, the Department of Health and Human Services created specific regulations for the handling of Protected Health Information (PHI), including electronic or digital forms (ePHI). HIPAA has two main sets of requirements related to privacy and security.

The HIPAA Privacy Rule governs the saving, accessing and sharing of health-related and other personal information, either oral or written.

This rule defines the guidelines safeguarding the confidentiality of PHI. Standards for identifying and authenticating people and organizations requesting PHI are outlined in this rule.
The HIPAA Security Rule more specifically outlines national security standards to protect health data created, received, maintained or transmitted electronically.

This rule primarily focuses on the technological measures used to enforce policies keeping ePHI out of the wrong hands. Failing to comply with these rules can result in penalties for not only organizations, but for the responsible individuals.

Any entity that deals with protected health information must make sure that all the required measures are established and continuously observed — physical (actual data center server access), network, and process security (audits, policies and staff training).

While the legislation is clear on the privacy, security, and accessibility requirements for organizations, over 91,000 violations were recorded between April 2003 and January 2013. These resulted in 22,000 enforcement actions (which included settlements and fines) with 521 referred to the US Department of Justice for criminal investigation.

HIPAA Compliant Best Practices
1. Review and evolve your policies and procedures. HIPAA is not a “set and forget” proposition; compliance must be a living, changing process that is regularly audited for effectiveness and legality. A lot has changed since 1996 and organizations’ policies must reflect those changes.

2. Accessibility rights are as important as rights to privacy. HIPAA gives patients certain control over their healthcare information, including the right to access it on demand and the right to revoke authorization to store their data. Organizations must act quickly when patients ask for their PHI.

3. If you store your data with a third party hosting provider, make sure that they are HIPAA compliant. The Security Rule hands down many stringent administrative, physical and technical requirements for such providers. Make sure that a full-scale risk assessment of the provider is performed on a regular basis and that a process is in place for monitoring compliance.

Apply common sense to your technology platforms. Shut down computer programs and servers containing patient information when not in use, and don’t share passwords among staff members.

The US Department of Health and Human Services has found that storing patients’ information in a HIPAA compliant cloud server can be safer than using a localized server or paper documents, so consider this option for increased security.

A HIPAA violation can be as small as a health care worker discussing a patient’s private health information in the elevator or as large as a $1.2 million fine for not erasing PHI from photocopier hard drives before returning them to the leasing agent.

More than ever, common sense and sound corporate governance must be applied to the technologies and processes that manage confidential data. Protecting that data will protect clients and the organization as well.

Documenting Business Processes

June 30, 2015

Scott Blake is a Senior Network Engineer with Tech Experts.

Documentation is quite possibly the most important aspect of a business, but it can also be workers’ least favorite task to do. The average person doesn’t want to spend time writing down how they do something — they just want to do it and move on.

Can you guess the biggest reason for documenting your business processes? It may come as a surprise, but it’s also the most fluid part of your business: your employees.

Employees come and employees go and some just take vacations. It’s what they do in between that’s important. Every employee is responsible for some part of your daily business.

Whether an employee quits or just needs time off, having documentation that lists the software used with usernames and passwords, step-by-step instructions on how to use the business software, client and vendor contact information, and credit card information makes their absences that much easier to deal with.

Well-documented processes will cut down on the time it takes to train a new employee.
Give the related information to the new employee and let them use it as a guide for their daily activities. This will allow your other employees to spend more time on their tasks and assignments instead of spending the majority of their time answering routine questions that a documented process could answer.

Order-of-operation questions and disputes can be minimized as well. If there ever comes a time when your employees are unsure of the next step or there is a dispute between departments on how to proceed, they will only need to look over the documented processes in question to resolve the issue.

Having documentation that shows in detail how long it takes to produce a product will also help your sales force deliver your product to your customers.

It allows your sales and marketing departments to understand the timelines of production.

This knowledge will let them know when a product order can be delivered and if the amount can be fulfilled in the timeline requested by the customer. There will be no more over or under promising of delivery dates to customers.

Put trust in the documents, not the person. No one person should be trusted with remembering processes without documenting them. What if this employee quits or becomes ill and is unable to return to work?

For example: You have an employee that works in your IT department. This employee’s job is to monitor and resolve any network related issues. While doing his daily tasks, he discovers it’s time to change the passwords on the business networking equipment such as the router, managed switches and domain admin password.

While the employee doesn’t think twice about it and may have mentioned it to his manager, there was nothing ever documented. Now, four months later, the employee falls very ill and is unable to return to work. What do you do?

The best way to document your business processes is to document them in such a way that all contributing employees have access.

You could use online tools such as Google Docs or Microsoft SharePoint. This way, whenever a process is changed, amended, or removed, the documentation is instant and available for all to see.

After a while, you will have an impressive collection of documented procedures. Having documented information available for employees to read can also start the flow of constructive questions and comments why things are done a certain way and how they can be improved.

If you have questions or you’re looking for suggestions on documenting your processes, call Tech Experts at (734) 457-5000.

Data Breaches And The Building Blocks Of Cyber Security

May 27, 2015

The data breaches at Target, Home Depot, Staples, Michaels, Anthem, and Sony Pictures Entertainment are just the tip of the iceberg and the stakes are very high. They’re costly for both businesses and customers and once the breach is announced, customers often terminate their relationship with that business.

You may ask, “What constitutes a data breach?” It is an event in which an individual’s information, including name, Social Security number, medical record and/or financial record or debit card is potentially put at risk. This can be in either electronic or paper format. The data set forth in this article is based on Ponemon Institute’s “2014 Cost of Data Breach Study.” Ponemon conducts independent research on privacy, data protection and information security policy.

New methodologies developed by the National Institute of Standards and Technology (NIST) and other industry standards bodies, such as the Department of Health and Human Services (HHS), are being implemented by many organizations, but best practices for addressing cyber security threats remain vague.

So what can be done to minimize cyber security threats? An effective starting point is to focus on the following essential building blocks of any cyber threat defense strategy.

Most organizations rely on tools like vulnerability management and fraud and data loss prevention to gather security data. This creates an endless and complex high-volume stream of data feeds that must be analyzed and prioritized. Unfortunately, relying on manual processes to comb through these logs is one of the main reasons that critical issues are not being addressed in a timely fashion.

Implementing continuous monitoring, as recommended by NIST Special Publication 800-137, only adds to the security problem as a higher frequency of scans and reporting exponentially increases the data volume. Data risk management software can assist organizations in combining the different data sources, leading to reduced costs by merging solutions, streamlining processes, and creating situational awareness to expose exploits and threats in a timely manner.

One of the most efficient ways to identify impending threats to an organization is to create a visual representation of its IT architecture and associated risks.

This approach provides security operations teams with interactive views of the relationships between systems and their components, systems and other systems, and components and other components. It enables security practitioners to rapidly distinguish the criticality of risks to the affected systems and components. This allows organizations to focus mitigation actions on the most sensitive, at-risk business components.

Effective prioritization of vulnerabilities and incidents is essential to staying ahead of attackers. Information security decision-making should be based on prioritized information derived from the security monitoring logs. To achieve this, security data needs to be correlated with its risk to the organization. Without a risk-based approach to security, organizations can waste valuable IT resources mitigating vulnerabilities that, in reality, pose little or no threat to the business.

Lastly, closed-loop, risk-based remediation uses a continuous review of assets, people, processes, potential risks, and possible threats. Organizations can dramatically increase operational efficiency. This enables security efforts to be measured and made tangible (e.g., time to resolution, investment into security operations personnel, purchases of additional security tools).

By focusing on these four cyber security building blocks, organizations can not only fulfill their requirements for measurable risk reporting that spans all business operations, but also serve their business units’ need to neutralize the impact of cyber-attacks.

These methodologies can also help improve time-to-remediation and increase visibility of risks.

The Importance Of Centralized Storage

March 26, 2015

Do you know where all of your data is? Is the file you’re looking for saved to workstation-01 or workstation-12? What happens when a user deletes a file you need from their workstation? What happens if your workstation dies?

If you’re a business owner or manager and have trouble answering those questions, centralized storage of your data may be your answer.

You can remove the stress of accidental deletions, have direct mapped access to your files, secure your data from intrusion and, most importantly, make it easy and simple to back up your data.

Centralized storage can include an external hard drive, USB flash drive, NAS (Network Attached Storage) device, cloud environment, or storage on a server. The best method is determined by your business structure.

Smaller businesses may opt for simple external devices attached to a workstation or a NAS device to save and back up their data. Simple external devices such as larger-sized USB flash drives and external hard drives are a low-cost solution.

NAS devices cost more, but they are useful additions to business networks. Most mid-ranged NAS devices offer raid levels 0, 1, and 5, so they can be customized for speed or data protection.

Some NAS devices are running a server-style operating system that will integrate into your existing AD. This will offer additional security features over a simple external hard drive or USB flash drive.

Businesses and home users that opt for the simple and least expensive method need to be very diligent about their data. Smaller devices are more susceptible to theft and damage.
They also tend to have shorter lives than other more costly methods. Should you go this route, make sure you maintain backups of your data and immediately replace your device at the first sign of possible hardware failure.

Data recovery from a simple solution device may not always be possible and it can become very costly to try.

Larger businesses will want to opt for on-site storage with network drives and backup solutions in place. Or they may want to invest in the cloud for a storage. Most medium-to-large scale businesses already have some form of a network server and backup in place, so all that may be needed is additional hard drive space or the creation of folders to house data.

You may also want to install a dedicated server for just data storage and possibly to handle your printing management. Cloud-based storage can be costly depending on the amount of data that needs to be stored, the security level, and the number of simultaneous connections to your data.

Cloud-based methods tend to be best as a secure backup option, but can be used for raw storage. With web-based access, all your employees need is an Internet connection to access their data.

Both on-site server storage and cloud storage offer strong backup options, the ability to restore deleted files, ease of access from off-site locations, and the sharing of files and folders across a wide area.

Whether you choose to go with a low-cost simple solution or a more robust solution, centralized storage brings peace of mind that your data is accessible and secure.

Your business will become more efficient and streamlined just by maintaining your data in one easy-but-secure location for your employees to access.

For more information about implementing centralized storage in your business, call the experts at Tech Experts: (734) 457-5000.

(Image Source: iCLIPART)

Is My Business Data Safe in the Cloud?

January 20, 2015

One of the newest business technologies is “the cloud” that more and more people are using. It’s an elusive term that is difficult to pin down, and it is precisely that vagueness that inspires fear in those who are considering transferring sensitive business data to it.

The cloud, however, isn’t as mystifying as you may think, and, if you use an online data drive or social media, you are already using it. Simply put, the cloud consists of networks of servers worldwide that are capable of storing information.

The primary benefit of using the cloud for business is that it eliminates the cost and hassle of purchasing and maintaining a physical server. Also, employees don’t have to waste time downloading and running applications and programs when they can pluck what they need from the cloud and virtually put it back when they are done. While this all sounds well and good, the question remains, “Is business data safe in the cloud?”

The Human Factor In Network Security

December 12, 2014

As you’re aware, disaster can manifest in many forms. In the past, we have included articles about weather-related events and how to best prepare your business against disasters.

However, there is another type of disaster that’s unlike flooding or fires that can also have devastating effects on your business.

The Human Factor
When it comes to safeguarding your business both physically and virtually, you have the power and controls available to give the edge against company espionage, cyber-attacks, or absent-minded employees.

It comes down to three basic areas: Software, Hardware and People. Once you have a firm grasp and control over these areas, you will have reduced your risk level considerably.

Software
Make sure all of your company’s electronic devices – from company-owned smart phones, tablets, laptops, workstations and servers – are running anti-virus and have a firewall in place.

While some devices are easier to secure and manage than others, this is a critical area, so be sure to make the best attempt to cover all your devices.

Be certain that your data storage devices are running backups and the backups are indeed good. As an added form of protection, encrypt your data being stored, making sure you save the key offsite as well.

That way, if your data is comprised either through internal access or external, it will become very difficult to use the data that was stolen.

The size of your company and the amount of sensitive data you have will dictate the frequency of your backup schedule. Remember, it never hurts to be overprotective when it comes to your data.

Hardware
Have security/firewall devices in place. Make sure they are fully configured for your business and that the firmware is up to date.

A lot of security devices add increased measures through the firmware updates.

They often have the ability to fully lock down your internal network as well. Restrict Internet access to only websites necessary for your business operations.

If your business offers Wi-Fi access for either internal use or guest use, make sure that controls are in place to limit access to your company’s internal network. The best precaution is to place the guest Wi-Fi on a completely separate network.

While Exchange mail servers can increase overhead, they will also add a level of increased security to combat against viral infections being delivered via email and attachments.

I’m sure everyone is well aware of Crypto-Locker and its variants. The majority of Crypto-Locker infections were delivered through infected PDF files sent as attachments.

People
By nature, humans are (and will always be) the most random aspect to safeguard your business from. It is vital that you run full background checks on any employee that will be given access to sensitive data or hardware.

Restrict the use of portable media such as flash drives and external hard drives while employees are working on or in the server room. Some companies may go as far as banning all portable media devices entirely.

Be proactive in actively monitoring your employees and watch for any changes in behavior, appearance, attitude and tone of speech. These can all be signs something is wrong.

If you have questions or you’re looking for suggestions, call Tech Experts at 734-457-5000, or email us at info@mytechexperts.com.

(Image Source: iCLIPART)

IT Policies Companies Under HIPAA Regulations Must Have

November 30, 2014

HIPAA (the Health Insurance Portability and Accountability Act) and HITECH (the Health Information Technology for Economic and Clinical Health act) have been around for quite some time. Even so, many companies covered by these laws are way behind when it comes to implementation. When you really think about it, even companies not covered by these laws should have the requisite policies and procedures in place.

Access Control Policy
How are users granted access to programs, client data and equipment? Also includes how administrators are notified to disable accounts.

Security Awareness Training
Organizations must ensure regular training of employees regarding security updates and what to be aware of. You must also keep an audit trail of reminders and communications in case you’re audited.

« Previous Page