Tips

When Nature Strikes – Is Your Ark Ready to Float Your Business to Dry Land?

October 31, 2014

Scott Blake is a Senior Network Engineer with Tech Experts.

Flooding can strain the resources of even the most well-equipped organizations. Natural disasters give little warning to companies, so preparing for the disaster is the only way to reduce the high cost of rebuilding.

Have a plan ready and in place
Disaster recovery plans are now becoming a requirement for many industries. To be prepared, businesses need to locate and define the regulatory requirements of their individual industry. In addition to reducing hardware damage and data loss, this will help avoid fines, penalties or negative press associated with noncompliance.

The health care industry has begun to require that hospitals have a recovery plan in place. The Joint Commission on Accreditation of Healthcare Organizations (JCAHO) sets standards for operating a health care organization and evaluates the industry to ensure that these standards are met. Documented and field-tested recovery plans for theft, vandalism, loss of critical data, provision of emergency power, and file and flood recovery are now required.

Trying to implement or even design a plan while in the middle of a disaster will only lead to a less than successful recovery. Make sure your team is ready for action and everyone knows what to do. It’s better to be overprepared than have a plan with holes that will sink your business.

Your data: Make sure you have it
Back up your data regularly. Manage a duplicate copy of all data, programming, and company processes at a different physical location or in the cloud. That way, you can continue working at a secondary location if your system crashes.

One way to do this is to keep copies of all your data, programs, bare metal backups and virtual machines in data centers in other states or in some cases different countries.

Tech Experts offers encrypted, HIPAA-approved, online backup of your files, documents, folders and data bases. If you require bare metal backups or the ability to convert your server into a virtual machine to keep afloat until replacement hardware is in place and running, Tech Experts also offers devices that can fulfill that requirement as well.

Treat your data like your money
Keep it safe and keep a lot of it.

Power: Must have it
An uninterruptable power supply (UPS) and a generator provide consistent backup power for your business if power lines go down. Make sure you routinely test and service them to ensure they’re working correctly.

Electrical components, including service panels, meters, switches, and outlets, are easily damaged by flood water. If they are underwater or come in contact with water for even short periods, they will probably have to be replaced. Make sure all of your computer systems — from servers, workstations, backup devices, and UPS’s — are up off the floor. Servers, backup components and UPS’s should be at least four feet off the floor.

Another problem is fires caused by short circuits in flooded areas. Raising electrical system components helps you avoid those problems. Having an undamaged, operating electrical system after a flood will help you clean up, make repairs, and return to your property with fewer delays.

Good relationships with vendors, customers and partners
Create strong relationships with your partners, vendors and customer base. In good times, they will give you access to new ideas, technologies, and business opportunities. During a crisis, they’re a security blanket with teams of people who know your business model and have resources to help you rebuild.

Insurance: Business is life
Floods and water damage are expensive. Business insurance is crucial and it’s not only for physical property. The right kind of insurance will replace lost income as well. Make sure your business insurance policy is up to date and has the correct coverage to support your business in crisis mode.

If you have questions or you’re looking for suggestions on prepping your business for recovery, call Tech Experts at 734-457-5000.

(Image Source: iCLIPART)

Summer Travel Laptop Tips

August 22, 2014

If you’re traveling with your laptop, you may need to carry a few accessories. These include adapters, surge protectors, converters, wireless Internet cards, Ethernet cables and a high-quality carrying case.

Power supply
If you’re traveling overseas, you need to consider possible international voltage differences and plug sizes and shapes. While the United State and Canada both use 110-volt electricity, the rest of the world runs on 220-240 volts.

Fortunately, most laptops can comfortably run on both voltages; however, check your computer label or owner’s manual to be on the safe side. If it runs on 110 only, you will need a converter.

You will also likely need an adapter so your plug can fit into the local outlets. Most countries have one or more adapters that are unique or that they share with a few close neighbors.

Surge protection is critical while traveling, particularly if you are traveling to a country where electricity is not reliable. You will need a surge protection electrical strip for whichever voltage you will be using, bearing in mind that surge protectors for 110 and 220-volt currents cannot be interchanged.

Internet connection
Most hotels offer either wireless or high-speed Internet. You may want to call ahead and find out what is available.

Many hotels will provide a Wi-Fi connection, which is helpful, since your laptop has its own built-in wireless network adapter that can search out the nearest wireless signal. Remember to ask for the hotel’s signal password at the front desk. You can also buy a wireless notebook card, if your laptop does not have an internal wireless network adapter. This would also be helpful for connecting to the Internet in WiFi hotspots in airports, libraries and coffee shops.

Some hotels will require that you plug into their Internet connection using an Ethernet cable. You should bring your own cable just in case one is not supplied to you by the hotel.

Extras
Your computer will more than likely take a few hits while you move around, so a sturdy padded carrying case could save you a lot of frustration and money.

You might also want to bring along a device onto which you can back up your work, just in case the hard drive crashes. An extra laptop battery might also come in handy, along with screen cleaners.

(Image Source: iCLIPART)

Ten Ways To Minimize Workplace Interruptions

July 31, 2014

You may be trying hard to practice your organizing techniques but still manage to complete only a few of your tasks at the end of the day. It may be due to uncontrolled workplace interruptions.

We suggest ten ways to minimize interruptions in the workplace without sacrificing your role of being accessible and available to co-workers and clients:

1. Use your voicemail when you are doing something important that needs your uninterrupted attention and concentration especially with a deadline. Schedule a time to respond to your messages.

2. Instead of checking your email every few minutes and responding immediately to each email, set a schedule on which times of the day you should read and respond to email messages.

3. If you are someone whom your co-workers often ask for company policies or procedures, create an FAQ and make it accessible to co-workers.

4. When you are in charge of certain processes in the workplace such as reservations, create a procedure for the process in making requests such as an online form.

5. Clearly communicate information needs and turnaround times especially for job order requests in order to avoid unnecessary follow-ups.

6. Block out time on office calendars so you can work without interruption.

7. If you are on a tight deadline or working on something extremely important, make yourself unavailable for interruptions by working outside your office – even if it is just the empty conference room.

8. If you are able to adjust your schedule, take advantage of this opportunity such as working earlier than usual, or having a different day off and work when everyone’s off. This way, you will have less interruptions and you can get more work done.

9. Set certain hours of the day when you will be available to answer questions from co-workers.

10. If you are working on a project with different departments or co-workers, create a regular update meeting in order for everyone to be clearly updated with information and avoid wasting time updating each other individually.

(Image Source: iCLIPART)

Seven Smart Tips To Secure Your Business Network

June 30, 2014

Thomas Fox is president of Tech Experts, southeast Michigan’s leading small business computer support company.

Hackers are constantly on the lookout for digital data they can use to make a profit, either by stealing money electronically or by selling the information to third parties.

Therefore, it is important to protect your precious data; here are seven tips to get you started:

Policies
Your staff is the front line of defense against hackers. Human error is one of the leading causes of data security breaches, so you need to have policies in place to ensure your employees are promoting the security of your network while working.

Strong passwords
People generally opt for simple easy-to-remember passwords that hackers can easily crack.

A simple “dictionary attack” (using an automated tool that uses a combination of dictionary words and numbers to crack passwords), is sufficient to uncover many passwords.

On the other hand, coming up with a complicated password and saving it to your computer as opposed to writing it down is a simple but very effective way to prevent hacks.

Multi-factor authentication
It is highly advisable to establish multiple layers of technology dedicated to security that you would apply to all your devices, including desktops, mobile devices, file servers, mail servers and network end points.

Multiple security blocks hacking attacks and alerts you to any problems beforehand so you can take the appropriate measures.

Data encryption
Encryption is yet another great security tool that you can use to protect your data. For instance, if your hard disk is stolen or your USB drive is lost, anyone trying to access your data would be unable to read it if it is encrypted.

Backup
Security makes up half of your data protection, while a proper backup strategy makes up for the other half.
Even with great security, you need to be able to recover your data if you have a failure. Back up often, and remember to test the backup regularly.

Audit
You need to identify the vulnerable areas of your network or which data needs to be protected.

Your entire IT infrastructure, including your computers, mobile devices and network should be audited by a professional IT specialist to determine the appropriate steps to prevent hackers from accessing your data.

Managed services
Managed services are an alternative and highly-effective approach for achieving the best possible security, including backup and recovery.

Many small businesses are unable to adequately meet the daunting and expensive task of securing their data.

With a managed-service provider specialized in data security, you get the benefit of professional services and skills without having to hire an in-house security expert, thus cutting on costs. In addition, you get access to the latest security technology and support professionals.

(Image Source: iCLIPART)

Advice For Small Business Owners Overwhelmed By Technology

June 30, 2014

A recent study by Brother International Corporation and SCORE found that 64 percent of small business owners feel overwhelmed when it comes to technology, because they have limited resources in information technology (IT).

Surprisingly, this isn’t related to a lack of financial resources, but rather this is due to the fact that many of them do not have the proper technological guidance.

Most of them have no dedicated IT support, and 59% of the survey participants said there are insufficient resources available in small business communities to help them.

Keeping pace with tech trends
According to the study, mobile devices are the most important piece of technology for their businesses, because mobile technology allows for easy and quick reach as well as easy access to documents, regardless of where they are.

Customer Relationship Management (CRM), social media and cloud services are also among the tech tools that small business owners find necessary in running their businesses. Forty nine percent (49%) of business owners consider tech-related investments as their top priority.

However, about half of them are hesitant to invest in it too quickly without a good ROI (return on investment), while the other half are concerned that failing to invest in technology gives their competitors an advantage.

Solutions
Outsourcing IT is one alternative for small businesses to take advantage of technology without heavily investing in it.

Social media is also a convenient tool that many IT service providers use to provide tech support to their clients, while office technology products are becoming more user-friendly.

Another important step that small businesses must take as far as IT is concerned is to identify and outline their business processes.

This makes it easier to sort through the best technology to meet their business needs. It also eliminates the frustration experienced at the endless pitches small business owners get from vendors and solution providers that do not even understand their business goals.

Recommendations
When you understand your business processes, you can easily determine the technology that you need or don’t need.

Take advantage of the tools available to help you understand the channels that are driving your business, including apps like Google Analytics. Finally, when using consumer apps for your business, go for the business options as they usually offer more security options and tech support.

(Image Source: iCLIPART)

Most Commonly Used IT Acronyms and Their Meanings

April 29, 2014

CPU (Central Processing Unit)
The CPU is the computer ‘brain’ and its most important element. It interprets and executes most of the commands from the computer’s hardware and software.

RAM (Random Access Memory)
RAM may be compared to a person’s short-term memory. It is the place where the operating system, application programs and data in current use are kept so they can quickly be reached by the processor.

GHZ (Gigahertz)
GHz describes the frequency cycles and is used when discussing computer performance, usually the clock speed of the CPU. A CPU with a higher clock speed can process data faster. One GHz means 1 billion cycles per second.
Gigabyte
A gigabyte (GB) is equal to approximately a billion bytes and is a measure of computer storage capacity that could be used to describe disk space, data storage space, or system memory.

Megabyte
A megabyte (MB) is a measure of computer storage capacity and is equal to approximately a million bytes. Most PCs have storage in gigabytes, not megabytes.

32/64 BITS
32-bit and 64-bit refer to the architecture that a central processing unit or operating system utilizes. Generally, more bits mean that data can be processed in larger chunks and more accurately.

Tips For Defending Against Social Engineering Attacks

March 18, 2014

by Michael Menor, Network Technician
I just got yet another email from my bank. Or, at least it looked like the bank that had issued one of my credit cards. The email included my correct name and mailing address, as well as a variety of other quality information such as the last four digits of my credit card number.

This may not seem like it is great information, but I regularly change details in my name for accounts, such as using different middle initials, including or omitting part of my first name, or using one of the three different street addresses that will get mail delivered to my home. So when someone gets it all correct, it really is a big deal to me.

According to the email, I needed to log on (yes, convenient link included) and check a fraud alert that was being issued on my credit card by my bank because of suspicious activity.

Again, this did make some sense, because this account was compromised, and I do have fraud triggers set to alert via email and text. Despite the fact that I pretty much always view these emails as suspicious, all in all, it seemed like the type of email that I might not want to ignore.

Except for the fact that the email came to a valid email address which I have never registered with this particular bank. Oddly enough, I have seen this with increasing frequency, and have received both Facebook and LinkedIn notifications with friend/connect requests – with people I actually know – but, both sent to email addresses which I have never registered with Facebook or LinkedIn.

Social Engineering?
Getting a few emails doesn’t necessarily mean I am in the middle of a social engineering attack. The catch here is that the emails contained real information that could only be gathered if someone was working it, so I tend to look a little beyond random phishing. The sender had good information.

A more recent complexity in social engineering is the use of this type of good information in an Advanced Persistent Threat (APT). In this role, social engineering is used in concert with other attack vectors. Information gathered from social engineering is used to target technical attacks, and in turn, information from technical attacks is used to help target further social engineering attacks as an attacker learns more about a set of individuals as well as the entire organization.

The availability of information from public sources like social media allows online research about specific people to be very targeted, further enabling more specific social engineering attacks.

Part of the social engineering attacks that are the most dangerous are those attacks that also try to get targets to execute malicious links or applications, potentially installing malware.

You may recognize a random external email attack that includes a virus or a malicious link. But, how would you respond to an email from your daughter’s college that appears to claim she was being ejected, or an email from a well-known pharmaceutical company that announced recently discovered potentially fatal side effects of a prescription drug that you are currently taking? Personal attacks like this which are tailored to a specific individual have become more common, and we should expect this trend to continue.

Can We do Anything About It?
Since there is no such thing as a personal firewall to help filter out attacks, the single best thing you can do to minimize the chances of a successful social engineering attack is proper awareness. At the same time, some technical controls can help. I have no “magic list” of five things to do, and I know 16 controls can look like a daunting task, but any or all of these things can help reduce the chances of a successful social engineering/phishing attack.

Even starting with one thing that you are currently not doing can help.

1. You should know that social engineering attacks exist. You should also know that attackers are interested in getting personal information as well as corporate information, and that individuals may be attacked through any phone, email or social media account – both work and personal – since personal knowledge can help make targeted attacks more successful.

2. You should be very careful about the type of information you leave in your voicemail greeting. A good default is to leave your first name, and state that you will return the call, without identifying your group.

3. “Extended absence” messages may be necessary, but should be used with care. Consider leaving a “fake” alternate contact name so that a coworker can easily identify that the call came from your out-of-office message. When you’re out and you want callers to reach “Betty Brown” for assistance in your absence, you might leave an outgoing message that says “Beth Brown” instead of “Betty Brown.” Then, when a caller asks for “Beth,” Betty will actually know that this call came as a result of your out-of-office message.
4. To help minimize the ease with which an attacker can identify valid email addresses at your organization, your email server should be configured so that it does not respond to inbound invalid addresses.

5. Make sure that corporate email addresses have little to no relationship with the employee’s user ID. Never make the name in your email address the same as the user ID you use on your internal network. If the user ID that you use to log onto your corporate network is bsmith, do not make your corporate email address bsmith(at)yourcompany.com.

6. You should be filtering attachments on your email and removing attachments with potentially hostile contents, such as executable files. Distributing Trojan horses or viruses via email is a common attack technique.

7. Be aware of company specific jargon. Anyone who uses improper or general information about your company can be regarded as an outsider. Maybe you work for Tech Experts, but everyone calls it “TE.” Using incorrect terminology is a clue that a call may not be genuine.

8. Someone who acts irate or angry and attempts to rush you through a questionable process should be regarded as suspicious. Bullying someone is a common technique to keep a target off balance.

9. Many (not all) data gathering emails come from temporary or “throw away” accounts, such as an account at Gmail or Yahoo. Your staff should be aware that there are a number of reasons an attacker would like to clearly identify valid email addresses and that your staff should consider this in all external responses.

10. Your company should not use or allow the use of external web-based email accounts through the normal course of your business. Do not let employees get used to seeing official email from such accounts (like @gmail.com instead of @yourcompany.com).

11. Your employees should know that no one from corporate IT (or anyone else) would ever call them and ask for their password. Simply put, no employee should ever divulge his or her password to anyone else. Never.

12. You should maintain an accurate and current employee directory with phone numbers. Anyone receiving a suspicious call can ask the caller who they are and consult the phone directory for the name and phone number.

13. Dispose of sensitive material in an appropriate manner. Either use an office shredder or contract with a reputable “secure disposal” company to dispose of sensitive information for you. Yes, “dumpster diving” is real, does happen and does work.

14. The Help Desk can take steps to reduce the number of invalid password resets and snooping attempts.

a. If a user calls from an outside number, the Help Desk’s first response should always be to consult a corporate phone directory for an official work, mobile or home phone number to return the user’s call. Any number not on the list should be considered suspicious.

b. The Help Desk should verify the employee’s full name, with proper spelling, phone extension, department or group. You are trying to add enough information that an attacker would have to be very prepared for the request.

c. The Help Desk should ask the caller for a number at which they can call the user back, regardless of from where the user is calling. A call from anyone who will not provide a callback number should be considered an attack.

d. You may consider having the Help Desk leave a user’s new password in the employee’s corporate voicemail. A valid user should have no trouble retrieving the password. An attacker would have to compromise the voicemail system to get access to the password.

15. If you are being asked to release or reveal something that is clearly sensitive, such as your strategic plan, passwords, pre-release earnings, source code and other such internal information, it should be automatically regarded as suspicious.

16. You should have a plan for how you will communicate internally if you identify that a social engineering attack is taking place against your company.

Does every employee get an email stating that an attack is in progress, and that everyone should exercise additional care? Who should send the email, and what is the final triggering event before a company-wide alert is distributed?

Conclusion
A good social engineer can extract sensitive internal information very quickly, and can then help ensure they make the best use of that information to further additional attacks.

Knowing this, you should understand that a social engineering attack can happen at any time. They don’t happen because you have poor security, they happen because someone else decided you were a target.

(Image Source: iCLIPART)

Tech Tips For The Road Warrior

March 18, 2014

c382409_m Traveling is rarely guaranteed to go smoothly, but there are at least a few travel headaches that can be kept at bay thanks to technology. If you know how to make use of it in the proper manner, technology can increase your likelihood of having a positive experience on your next vacation.

One good tip is to use tech to keep updated on your flight status. Flights are commonly disrupted due to one reason and another, and delays and cancellations et al can be tough to keep up with. Many airlines today however enable you to track your flight status via a website or app, so if you own a smartphone you can stay updated on what is happening with your flight no matter where you are. If an app is offered by your airline for this purpose, be sure to download it and ensure your smartphone has been fully charged before you set off to the airport.

Translation apps are another good idea if you are jetting off to foreign climes. Many translation apps on tablets and smartphones are free of charge, and also have voice recognition software, meaning that communicating with people who speak a different language has never been easier.

(Image Source: iCLIPART)

What Is Green Computing?

March 3, 2014

by Michael Menor, Network Technician
Green computing is the environmentally responsible and eco-friendly use of computers and their resources. It is also known as Green Information Technology (Green IT).

Green IT aims to achieve economic viability and improve the way computing devices are used.
What can you do to make your business and home more energy efficient?

Shut Down & Switch Off
While putting a computer into a “standby” or “sleep” mode will save a lot of power, many people remain unaware that even shutting down a desktop computer completely does not turn it off.

This is because the computer’s power supply will remain physically switched on, with the motherboard partially powered and waiting for a signal from the switch on the front of the PC (which is not a main power switch) to boot up again.

To prevent a desktop computer from using power, after being shut down it must either be switched off at the wall outlet, or turned off using the small rocker switch on the back of the power supply.

A typical desktop computer uses about 8 watts of electricity an hour when shut down but not switched off.

That’s about 1 kilowatt of electricity being wasted a week for a PC turned off around 16 hours a day.

It therefore really is worth remembering that simply turning off a PC at the back or at the wall when not in use can have a major impact on energy consumption and its environmental impact.

Upgrade: Use Low Power Hardware
If you’re using an older computer, chances are that your energy costs are a lot higher than normal. With the improvement of technology, manufacturers have been able to produce more energy efficient components.

An older Dell OptiPlex desktop purchased in 2003 typically had an Intel Pentium 4 processor, a hard drive that you could hear as it accessed data, and a bulky, powerhogging Cathode Ray Tube (CRT) monitor.

At the time of its release it was state of the art and quick but by today’s standards it is an ancient dinosaur.

Technology is ever changing and these desktops can be easily replaced with faster, more energy efficient hardware. Using the Dell Optiplex as a base line, let’s compare it with today’s business desktops.

Today you will typically find an Intel Core-i3 processor, which runs faster and more efficient, saving you on average 35% on your energy costs.

That old noisy hard disk drive (HDD) can be replaced with a Solid-State Drive (SSD). Since it has no moving parts it is virtually silent, faster and draws less power (2 to 3 watts vs. 6 to 7 watts in a HDD).

And last but not least that 50 pound CRT monitor you have on your desk can be thrown out the window and replaced with a flat-screen (or LCD) monitor.

Your typical 20 inch CRT monitor will consume about 90 to 100 watts; a 20 inch LCD monitor on the other hand only consumes a fraction of that, between 24 to 26 watts.

On average you will spend $3.29/month or $39.42/year to power one CRT monitor. Or you can opt to power an LCD monitor for $0.88/month or $10.50/year.

Average computer users can employ the following general tactics to make their computing usage greener:

• Use “hibernate” or “sleep” modes when away from a computer for extended periods.
• Use flat-screen or LCD monitors, instead of conventional Cathode Ray Tube (CRT) monitors.
• Buy energy efficient notebook computers, instead of desktop computers.
• Activate the power management features for controlling energy consumption.
• Turn off computers at the end of each day.
• Refill printer cartridges, rather than buying new ones.
• Instead of purchasing a new computer, consider upgrading your hardware components.

With all these factors in mind, doing these simple upgrades and having a “Green IT” policy in place can save you money over the long run. If you are interested in making these changes or for more information, please contact us.

(Image Source: iCLIPART)

HIPAA Risk Analysis And Assessment

January 17, 2014

by Michael Menor, Network Technician
The phrases “risk analysis” and “risk assessment” are becoming incredibly commonplace today. They’re littering the blogosphere, popping up in advertisements by newly-announced, so-called experts and being “webinar-ed” to death.

In reality, most people promoting these phrases don’t know what they’re talking about. They don’t know what they’re talking about, I’ve come to discover, because most people don’t understand what risk itself means.

Understand Risk To Conduct Analysis
In today’s increasingly more privacy- and security-minded world, and especially in healthcare, the state of risk management of information is a mess!

This problem comes about for many reasons, including but not limited to the following:

There is little agreement on standard terminology, approach and tools. Key risk-related terms such as assets, threats, vulnerabilities, controls, likelihood and impact are misused and sometimes used interchangeably. One does not find these terms in many other professions. All physicists know what velocity, acceleration, mass, energy, etc. mean. All accountants agree to definitions of basic terms such as debits, credits, balance sheets, assets, liabilities, etc.

Many so-called “experts,” some recently-minted and/or self-proclaimed as such, don’t understand basic risk fundamentals.

Most individuals do not understand that you simply can’t observe risk and that risk is a derived value.

You simply cannot begin to conduct a bona fide risk analysis if you don’t understand what risk is and what risk is not.

There is huge inefficiency and ineffectiveness in protecting the privacy and security of Protected Health Information (PHI) and electronic PHI (ePHI).
As of October 24, 2013 the PHI/ePHI of 26.9 million fellow Americans have been disclosed according to the HHS/OCR “Wall of Shame.” For example, laptops with unencrypted hard drives being stolen from Advocate Medical Group.

Actions To Take
First and foremost, organizations must understand some key, fundamental points about risk before they embark on completing a risk analysis. For example, I present you with five images and ask you to indicate the level of risk (high, medium, low, no risk) you observe in each image.

The images include a bald tire, the same bald tire turned into a tire swing in a backyard, a frayed rope tied to a beam, the tire swing in a tree perched over the edge of a cliff and, finally, a child swinging in the tire swing in a backyard.

What was the greatest amount of risk you observed? I would guess you “saw” high risk in more than one of the images! Some “saw” risk in all the images. 1) You cannot “see” risk; it must be evaluated; and, 2) In reality, there is no risk in any of these images.

Here’s what happens over and over again:

People make assumptions and make things up in risk analysis.

People don’t understand this fundamental truth about risk – you can’t have significant risk without the potential for significant loss or harm.

People tend to relate potential vulnerabilities (e.g., frayed rope, bald tire) with risk.

People forget that one must consider likelihood or probabilities of bad things happening and of impact or harm.

The most important actions organizations must take if they don’t understand risk are to “train up” and/or farm out the work to experts.

And they must remember these truths:

Risk can only possibly exist if three conditions are met: an asset like a laptop with ePHI, a threat to that asset (e.g., a thief may steal it) and a vulnerability (e.g., it is not encrypted) that may be exploited by that threat.

For any single asset (e.g., a laptop with PHI), there may be many different threats and many different vulnerabilities; therefore, there may be many risks to be identified, assigned a value and prioritized.

Controls may already have been implemented or may be implemented to mitigate the likelihood of a certain threat exploiting a certain vulnerability. Controls come in several forms, often categorized as administrative, physical or technical.

Risk has an impact or harm component.

When it comes to health information risk, the adverse impact or harm may come about if the confidentiality and/or the integrity and/or the availability of that information is compromised.

(Image Source: iCLIPART)

« Previous Page