Planning

Should Your Company Install The Windows 10 Preview?

July 27, 2015

In short, no. While the Windows 10 Technical Preview is free of charge, there are too many dangers in downloading what is essentially the Beta release of Microsoft’s newest operating system.

There’s a reason why the preview is available, and it’s not to generate excitement about its coming release this fall. The preview exists for Microsoft to discover bugs and glitches that are present in this version, so they can fix them before Windows 10 officially hits the market. Unless you just enjoy being part of that process, it’s best to leave the testing to others.

It is especially important to wait for the official Windows 10 release if you only have one PC or mobile device.

Since all the kinks have not yet been worked out, you could find yourself unable to use accessories like printers or scanners if you make the premature jump into the new operating system. You also can’t be assured that the Windows 10 preview is safe for your devices, and it’s simply not worth the risk of incurring problems that can not only be costly moneywise but in the ill use of your time trying to correct any damage.

Furthermore, the technical preview isn’t complete. The features you’re looking forward to may not be included. The Spartan web browser and Holograph feature are missing from the Windows 10 preview.

So, even if the test version of the operating system functions seamlessly, you’re apt to be disappointed. Although you may be chomping at the bit to get rid of your old operating system, the wise thing to do is wait until Microsoft perfects Windows 10 and then fully explore it when it’s finally released, making sure it is compatible with your business applications.

The Basics Of HIPAA Compliance

June 30, 2015

Michael Menor is Vice President of Support Services for Tech Experts.

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is federal legislation that created national standards to protect the privacy of patients’ medical records (including electronic records) and other personal health information.

The legislation makes organizations and individuals who collect and manage personal healthcare data legally liable for its security, including health care providers, health plans, health clearinghouses and business associated with any of these. Consequences of negligence and misuse of private information can include civil and criminal penalties.

As a result of HIPAA, the Department of Health and Human Services created specific regulations for the handling of Protected Health Information (PHI), including electronic or digital forms (ePHI). HIPAA has two main sets of requirements related to privacy and security.

The HIPAA Privacy Rule governs the saving, accessing and sharing of health-related and other personal information, either oral or written.

This rule defines the guidelines safeguarding the confidentiality of PHI. Standards for identifying and authenticating people and organizations requesting PHI are outlined in this rule.
The HIPAA Security Rule more specifically outlines national security standards to protect health data created, received, maintained or transmitted electronically.

This rule primarily focuses on the technological measures used to enforce policies keeping ePHI out of the wrong hands. Failing to comply with these rules can result in penalties for not only organizations, but for the responsible individuals.

Any entity that deals with protected health information must make sure that all the required measures are established and continuously observed — physical (actual data center server access), network, and process security (audits, policies and staff training).

While the legislation is clear on the privacy, security, and accessibility requirements for organizations, over 91,000 violations were recorded between April 2003 and January 2013. These resulted in 22,000 enforcement actions (which included settlements and fines) with 521 referred to the US Department of Justice for criminal investigation.

HIPAA Compliant Best Practices
1. Review and evolve your policies and procedures. HIPAA is not a “set and forget” proposition; compliance must be a living, changing process that is regularly audited for effectiveness and legality. A lot has changed since 1996 and organizations’ policies must reflect those changes.

2. Accessibility rights are as important as rights to privacy. HIPAA gives patients certain control over their healthcare information, including the right to access it on demand and the right to revoke authorization to store their data. Organizations must act quickly when patients ask for their PHI.

3. If you store your data with a third party hosting provider, make sure that they are HIPAA compliant. The Security Rule hands down many stringent administrative, physical and technical requirements for such providers. Make sure that a full-scale risk assessment of the provider is performed on a regular basis and that a process is in place for monitoring compliance.

Apply common sense to your technology platforms. Shut down computer programs and servers containing patient information when not in use, and don’t share passwords among staff members.

The US Department of Health and Human Services has found that storing patients’ information in a HIPAA compliant cloud server can be safer than using a localized server or paper documents, so consider this option for increased security.

A HIPAA violation can be as small as a health care worker discussing a patient’s private health information in the elevator or as large as a $1.2 million fine for not erasing PHI from photocopier hard drives before returning them to the leasing agent.

More than ever, common sense and sound corporate governance must be applied to the technologies and processes that manage confidential data. Protecting that data will protect clients and the organization as well.

Data Breaches And The Building Blocks Of Cyber Security

May 27, 2015

The data breaches at Target, Home Depot, Staples, Michaels, Anthem, and Sony Pictures Entertainment are just the tip of the iceberg and the stakes are very high. They’re costly for both businesses and customers and once the breach is announced, customers often terminate their relationship with that business.

You may ask, “What constitutes a data breach?” It is an event in which an individual’s information, including name, Social Security number, medical record and/or financial record or debit card is potentially put at risk. This can be in either electronic or paper format. The data set forth in this article is based on Ponemon Institute’s “2014 Cost of Data Breach Study.” Ponemon conducts independent research on privacy, data protection and information security policy.

New methodologies developed by the National Institute of Standards and Technology (NIST) and other industry standards bodies, such as the Department of Health and Human Services (HHS), are being implemented by many organizations, but best practices for addressing cyber security threats remain vague.

So what can be done to minimize cyber security threats? An effective starting point is to focus on the following essential building blocks of any cyber threat defense strategy.

Most organizations rely on tools like vulnerability management and fraud and data loss prevention to gather security data. This creates an endless and complex high-volume stream of data feeds that must be analyzed and prioritized. Unfortunately, relying on manual processes to comb through these logs is one of the main reasons that critical issues are not being addressed in a timely fashion.

Implementing continuous monitoring, as recommended by NIST Special Publication 800-137, only adds to the security problem as a higher frequency of scans and reporting exponentially increases the data volume. Data risk management software can assist organizations in combining the different data sources, leading to reduced costs by merging solutions, streamlining processes, and creating situational awareness to expose exploits and threats in a timely manner.

One of the most efficient ways to identify impending threats to an organization is to create a visual representation of its IT architecture and associated risks.

This approach provides security operations teams with interactive views of the relationships between systems and their components, systems and other systems, and components and other components. It enables security practitioners to rapidly distinguish the criticality of risks to the affected systems and components. This allows organizations to focus mitigation actions on the most sensitive, at-risk business components.

Effective prioritization of vulnerabilities and incidents is essential to staying ahead of attackers. Information security decision-making should be based on prioritized information derived from the security monitoring logs. To achieve this, security data needs to be correlated with its risk to the organization. Without a risk-based approach to security, organizations can waste valuable IT resources mitigating vulnerabilities that, in reality, pose little or no threat to the business.

Lastly, closed-loop, risk-based remediation uses a continuous review of assets, people, processes, potential risks, and possible threats. Organizations can dramatically increase operational efficiency. This enables security efforts to be measured and made tangible (e.g., time to resolution, investment into security operations personnel, purchases of additional security tools).

By focusing on these four cyber security building blocks, organizations can not only fulfill their requirements for measurable risk reporting that spans all business operations, but also serve their business units’ need to neutralize the impact of cyber-attacks.

These methodologies can also help improve time-to-remediation and increase visibility of risks.

Risks When Employees Use Their Own Mobile Devices

February 12, 2015

BYOD (Bring Your Own Device) is an exciting development for increasingly mobile and interconnected employees, but also a new challenge for IT security teams.

Gone are the days where security professionals can lock down a finite set of machines and facilities; instead, they must manage an ever-growing, ever-changing landscape of employees, devices and applications, many of which have access to information that needs to be protected.

According to an article on eWeek, a survey was done on organizations with mobile devices connecting to their networks: only 33 percent have any official BYOD policy governing the use of personal portable devices, 67 percent do not.

The security risks are inherent in BYOD between viruses, hacking, improper security, and more. Flat-out thefts of smartphones, laptops, and tablets are also an issue.

In New York City alone, police data show that Apple products were stolen in a total of 11,447 incidents in the first nine months of 2012. That is an increase of 40 percent compared to the previous year.

Of course, employee education and awareness are important as informed users are more likely to act responsibly and take fewer risks with company data. Unfortunately, employees can be careless and criminals crafty, which is why network security defenses and policies are so critical.

Although implementing a restrictive device policy may feel like the most secure approach for your company, it can easily backfire.

Your craftiest employees are going to find a way to connect their devices to your network no matter what. And employees who do obey your “no iPhones” message will probably resent the policy and experience lower productivity.

Today’s workers expect to have 24/7 access to their information. They want to be able to catch up on emails on the evening train ride home or access information while away from the office.

BYOD lets IT staffs eliminate the hassle and expense of provisioning, distributing, and maintaining hundreds of corporate-owned mobile devices.

But setting up a BYOD program isn’t without its challenges. For starters, when you give employees free rein to bring in their own devices, you put your corporate documents and data at the mercy of the native security on these devices.

When you consider that many of your employees probably have “1234” as the PIN on their iPhones, that’s a pretty sobering thought.

Another major concern is your network. When you allow today’s increasingly powerful smartphones and tablets to request resources from your network, you really put your infrastructure to the test.

Are you ready to serve data instantly to hundreds of increasingly powerful hand-held mobile devices?

What if your mobile employees want to watch training videos, play back webinars, or listen to conference call recordings on their devices – can you deliver this kind of bandwidth?

Like most things, there are upsides and downsides, but a decision should be made on what best suits you, your employees, and your business.

When it comes down to it, BYOD isn’t a completely ridiculous idea. In fact, the benefits of BYOD may be worth the extra security precautions required to implement it.

(Image Source: iCLIPART)

Remote Employees And Network Connections

February 12, 2015

Scott Blake is a Senior Network Engineer with Tech Experts.

As businesses begin to downsize their ecological footprint, the need for remote or satellite employees grows. Business leaders and owners are now faced with the daunting question on how to allow remote employees access to their existing network without compromising network security.

One of the best ways to accomplish this is through the use of VPN.

VPNs allow secure access to business resources by creating encrypted pass-throughs via the Internet. The Internet, combined with present-day VPN technology, allows businesses a low cost and secure means to extend their networks to their remote employees.

The two most common methods in which to set up remote access are IPsec (IP Security) or SSL (Secure Sockets Layer). Both methods work well and both have their advantages depending on the needs and size of your business.

VPNs created using SSL technology provide remote-access connection from almost any Internet-enabled location or device using a web browser interface.

No special client software needs to be preinstalled on either device. This makes SSL VPNs a true “anytime, anywhere” connection to company-managed desktops.

There are two different SSL VPN connections to choose from: clientless and full network access.

Clientless requires no special software. All traffic is transmitted and delivered through a web browser.

There is no need to install or download any unique software to establish the connection. With clientless access, only web-enabled programs and apps are able to be accessed, such as email, network file servers and local intranet sites.

Even with such limited access to network resources, this style of connection is well-suited for most businesses. c868266_m

Additionally, because there is no need for special software to be supported by the IT department, businesses can cut down on managed overhead.

A full network access VPN allows access to almost any program, application, network server, and resource connected to your business network. Unlike clientless access, full network access connection is made through the use of VPN client software. Because the client access software is dynamically downloaded and updated, it requires little or no desktop support.

As with clientless access, you have the ability to customize each connection based on employee access privileges. If your remote employees require the full functionality of installed programs and applications as if they were sitting inside the office building, utilizing a full network VPN connection is the obvious choice.

IPsec based VPNs are the staple of remote-access connection technology. IPsec VPN connections are created by using installed VPN client software on the user’s workstation and connecting device.

Client software allows for greater customizability by modifying the VPN client software. Businesses are able to configure and maintain the appearance and function of the VPN client, which allows for easier implementation for connections with other desktops, kiosks, and other special need cases.

Many businesses find that IPsec connections meet their requirements for the users, but the advantages of self-updating desktop software, accessibility from non-company managed devices, and customizable user access make SSL VPNs a front runner for remote-access connections to your office.

If you have any questions or would like more information about how a VPN can help your company, you can reach Tech Experts at (734) 457-5000.

(Image Source: iCLIPART)

Tips For Your Next Tablet Purchase

February 12, 2015

Now that tablets have become ingrained in the techie lifestyle, it’s hard to believe the first Apple iPad arrived on the scene just four years ago. In the time that has passed since then, tablet sales and development have skyrocketed.

Consequently, there is a much larger variety to choose from today than just a single brand and its incarnations.

For those looking to upgrade their tablet or try one out for the first time, navigating the sea of tablet possibilities can be a daunting prospect. Here are a few tips to demystify your purchase choices:

Choose the right operating system for you: Apple’s iOS gets the most attention by far, likely due to its length of time on the market, general ease of use, and plethora of applications available for download.

Android’s OS is also competitive in the availability of apps, and it merges seamlessly with all of Google’s applications.

Finally, the Windows OS is growing in popularity with users looking for a PC-like experience and aren’t as concerned about installing various applications.

Get enough storage and a screen size you can work with: Just as if you were PC shopping, a huge concern is having enough space to store your files and a screen that is easy to read.

After all, it’s no fun squinting to decypher text or choosing which applications to keep or ditch due to insufficient storage space.

Also, consider the screen resolution when choosing between models – it can be equivalent to the difference between a regular television screen and HD.

Decide if a WiFi only or cellular version fits your needs: There are two ways you can get online with a tablet – connecting via WiFi networks around you or using cellular service to gain entry.

WiFi only versions are typically cheaper, and you always have to option of turning your smartphone into a hotspot for on-the-fly connections. A cellular version is a tad pricier and requires additional service fees, but the advantaage is you will always be able to get online wherever you go.

(Image Source: iCLIPART)

Is Budget A Good Metric For Security?

January 20, 2015

Is budget a good metric for security? In other words, if an organization wishes to improve its security, is spending more money an appropriate response? Furthermore, how can an organization ensure that any additional budget it allocates to security is spent wisely?

Talking about an organization’s security program in terms of its budget is something we are quite accustomed to. We often hear people discussing security spending in the context of evaluating an organization’s security posture.

For example, it’s not uncommon to hear statements such as “In an effort to improve its security, the organization has increased its security budget by 30%.” Of course, it goes without saying that a sufficient budget is necessary to accomplish anything.

Additionally, and perhaps quite obviously, it is important to note that larger organizations will need larger budgets to achieve the same level of execution.

What seems to be missing from the discussion, however, is the answer to a slightly different question: Does the organization spend its budget effectively?

A proper budget is indeed necessary, but it’s equally important how the budget is spent. Not every dollar spent will have the same impact on security posture.

Sometimes, we think about budget in a backwards manner. Oftentimes, clients say things like “I need a firewall,” “I need an IDS,” or “I need a DLP solution.”

The security organization will then communicate the business’ need for each of these requirements to the executives and make the case for the required budget accordingly.

If a new requirement arises down the line, the client will request more budget, which it may or may not receive.

The issue with this approach is that a security organization’s respective security programs are not tasked with things like “buy a firewall.”

Печать Just purchasing a network firewall will not stop an attacker from walking into your organization and physically plugging his computer into your network.

Maintenance and having the proper security policies in place is as equally important as having the appropriate equipment.

Take a look at this perspective. You never buy a car just to drive it around aimlessly. It involves proper maintenance and there are always risks that need to be identified each time you’re driving.

You need to mitigate, manage, and minimize risks and that’s essentially what the security organization does. Those risks can then be broken down into realistic and attainable goals and priorities.

Once we look at that list of goals and priorities, we soon realize that we have a framework in which to build our security operations. It is into this framework that we can drop all of our operational requirements.

Each goal generates a set of operational requirements and these spell out the peoples, processes, and products required to meet that specific goal.

It’s worth noting that each operational requirement may take one or more products to address. Similarly, each product may address one or more operational requirement.

While keeping that in mind, it’s possible to quickly build a matrix that will allow security organizations to map and optimize the products that best address the operational requirements.

It will take some time to transform budgetary discussions from product-centric to operation-centric.

However, as executives and boards see the direct correlation between increasing budget and improved security posture, they will be more likely to approve future budgetary increases.

So, getting back to the original question: Is budget a good metric for security? I would say that budget is not a metric at all, but rather a means to address operational security requirements.

(Image Source: iCLIPART)

What You Need To Know About Network Security Devices

January 20, 2015

With cyber hacking, identity theft and malware programs on the rise, it’s become even more important to protect your business networks from cyber invaders. One of the best ways to accomplish this is through the use of network security devices and installed anti-virus software.

Security devices attached to your network will act as a front line defense against threats. It behaves as an anti-virus and anti-spyware scanner and a firewall to block unauthorized network access.

It also acts as an Intrusion Prevention System (or IPS, which will identify rapidly spreading threats like zero day or zero hour attacks) and a Virtual Private Network (VPN), which allows secure access via remote connections.

Security devices come in four basic forms: Active, Passive, Preventative and Unified Threat Management (UTM). Active devices with properly configured firewalls and security rules will be able to block unwanted incoming and outgoing traffic on your network.

Passive devices act as a reporting tool that scans incoming and outgoing network traffic, utilizing IPS security measures. After reviewing these reports, the Active devices can be adjusted to close any detected security holes.

Finding and correcting possible security concerns is accomplished through the use of Preventative devices. These devices scan your network and identify potential security problems.

They will generate a detailed report showing which devices on your network need improved security measures.

UTM devices combine the features of Active, Passive and Preventive devices into one compact device. UTM-enabled devices are the most commonly found security device in small and medium-sized businesses.

By incorporating all the features into one device, your network administrator is able to more easily manage and maintain the security of your network. This greatly reduces overhead to your business.

Many businesses think they know what security measures need to be in place. Often, security professionals will find basic or home-class routers installed in companies.

While the upfront cost of the home-class router is lower than a business-class security device, the fact of the matter is that the home-class routers don’t offer the features and security a business needs to protect their network.

Companies electing to use home based devices run a much higher risk of finding themselves the victims of cyber attacks.

Information security. Shield covers laptop Before purchasing any security device, it’s best to consult with a security professional. Have penetration tests performed and a vulnerability assessment report generated.

The report coupled with the advice of the security professional will guide you in determining what device is best for your network and business.

The benefits to having a proper and professionally-installed security device in place include protection against business disruption, meeting mandatory regulatory compliances, and protection of your customers’ data, which reduces the risk of legal action from data theft.

Along with the proper security device in place, you also want to make sure every device on your network is running a robust anti-virus program.

Managed anti-virus platforms are best for any business. Your network administrator can manage, update, scan and remove any threats found on any system attached to the network. This greatly reduces overhead and employee interruption.

For professional advice on security device installation, anti-virus solutions, or if you’re interested in network penetration testing, call Tech Experts at (734) 457-5000.

(Image Source: iCLIPART)

The Human Factor In Network Security

December 12, 2014

As you’re aware, disaster can manifest in many forms. In the past, we have included articles about weather-related events and how to best prepare your business against disasters.

However, there is another type of disaster that’s unlike flooding or fires that can also have devastating effects on your business.

The Human Factor
When it comes to safeguarding your business both physically and virtually, you have the power and controls available to give the edge against company espionage, cyber-attacks, or absent-minded employees.

It comes down to three basic areas: Software, Hardware and People. Once you have a firm grasp and control over these areas, you will have reduced your risk level considerably.

Software
Make sure all of your company’s electronic devices – from company-owned smart phones, tablets, laptops, workstations and servers – are running anti-virus and have a firewall in place.

While some devices are easier to secure and manage than others, this is a critical area, so be sure to make the best attempt to cover all your devices.

Be certain that your data storage devices are running backups and the backups are indeed good. As an added form of protection, encrypt your data being stored, making sure you save the key offsite as well.

That way, if your data is comprised either through internal access or external, it will become very difficult to use the data that was stolen.

The size of your company and the amount of sensitive data you have will dictate the frequency of your backup schedule. Remember, it never hurts to be overprotective when it comes to your data.

Hardware
Have security/firewall devices in place. Make sure they are fully configured for your business and that the firmware is up to date.

A lot of security devices add increased measures through the firmware updates.

They often have the ability to fully lock down your internal network as well. Restrict Internet access to only websites necessary for your business operations.

If your business offers Wi-Fi access for either internal use or guest use, make sure that controls are in place to limit access to your company’s internal network. The best precaution is to place the guest Wi-Fi on a completely separate network.

While Exchange mail servers can increase overhead, they will also add a level of increased security to combat against viral infections being delivered via email and attachments.

I’m sure everyone is well aware of Crypto-Locker and its variants. The majority of Crypto-Locker infections were delivered through infected PDF files sent as attachments.

People
By nature, humans are (and will always be) the most random aspect to safeguard your business from. It is vital that you run full background checks on any employee that will be given access to sensitive data or hardware.

Restrict the use of portable media such as flash drives and external hard drives while employees are working on or in the server room. Some companies may go as far as banning all portable media devices entirely.

Be proactive in actively monitoring your employees and watch for any changes in behavior, appearance, attitude and tone of speech. These can all be signs something is wrong.

If you have questions or you’re looking for suggestions, call Tech Experts at 734-457-5000, or email us at info@mytechexperts.com.

(Image Source: iCLIPART)

Don’t Forget Your End-of-Year Data Backup

December 12, 2014

In a ritual akin to spring cleaning, computer users far and wide are backing up their data en masse. Although backing up your vital data is a wise idea to prevent the loss of important documents during crashes or even computer theft, it often goes undone.

By the end of the year, however, an amazing amount of data would have been stored which may slow computers’ performance. This is a silent reminder to clean out the cobwebs and back up the files you want to keep.

There are various ways to back up your data, and one is readily available right on your PC. Windows users can access backup tools by pressing the Start button, typing “backup” in the search area, then clicking “Backup and Restore.”

This allows users to back up files instantly. Similarly, Mac users can open the System Preferences menu and select Time Machine. It will promptly perform backup tasks with the selection of the appropriate disk to store the files.

However, the aforementioned tools on your PC or Mac, don’t address more complex situations where your computer may be completely damaged or lost.

Therefore, it is also advisable to back up important documents, such as financial records or critical documents or emails, on a separate device.

If you depend solely on your computer’s backup system, your backed up data is vulnerable to the same threats that can damage the whole computer.

There are various data storage solutions on the market. The more expensive ones offer extra features, but the main factor to consider is the data storage size that you will need to have on the device.

Alternatively, simply upload your most important data to cloud storage, which can also be automated for future backups.

Other computer users prefer to back up data on an external USB device and keep it in a safe place.

It would also be best to automate your backups based on a recurring schedule that takes into consideration the particular files/folders that change often and/or are the most critical and include them in the backup set.

If you require assistance in figuring out the most appropriate automated backup solution for your home or business, give us a call at (734) 457-5000 and one of our technicians will be glad to help.

« Previous Page