WRCC Ambassadors On The Move

The Worcester Regional Chamber of Commerce (WRCC) Ambassadors visited the Worcester County Food Bank (WCFB) Wednesday, April 5th; many brought donations, but all were there to learn about the WCFB, its purpose, and its partnership with the WRCC.

The WCFB’s mission is “To engage, educate and lead Worcester County in creating a hunger-free community.” As one of four regional centers across Massachusetts, the WCFB last year distributed 6.3 million pounds of food to 128 partner agencies, which provided 5.3 million meals to 89,000 people in need throughout the 60 cities and towns of Worcester County.

 

The WRCC partners with the WCFB through the Worcester Regional Food Hub, a Commercial Kitchen Incubator to enhance and support food-producer networks, workforce-development programs, and local small businesses.

Our tour of the clean, 37,000 square foot warehouse was conducted by Jean McMurray, Executive Director, who described their efforts to keep a stable, continuous supply of food while advocating for the elimination of hunger in Worcester County.

Gavin Livingstone, Chair of the WRCC Ambassador Committee, and Cathy Livingstone, WCFB Board of Directors member – joint-owners of Bryley Systems Inc. – organized and attended this event.

5 Steps to Avoid Ransomware

Coffee in hand, you’re preparing to read through your new emails as you start your day. You anticipate a productive day today. Yesterday you stayed 3 hours late to complete your big presentation, 2 days ahead of schedule, and you’re basking in the glow of the satisfaction of a difficult job well done and being ready early. How often does that happen?

You have Outlook open and are starting to review the newest emails when all of a sudden, a window pops up with bold text:

!!! IMPORTANT INFORMATION !!!

All of your files are encrypted with RSA-2048 and AES-128 ciphers.

Huh?!?! What does this mean?

It means your day has taken a turn for the worse… You have just been notified that the Locky Ransomware has just completed its work on your system by encrypting all of your files (rendering them useless) and is now demanding payment from you to get your files back. Depending on the sophistication of the Locky variant, it will ask you for anything between 1-15 Bitcoins (Bitcoins are trading for $1,205.00 at this time). This may depend on what it perceives the value of the stolen files to be. Server infections typically demand larger sums. Instructions are included on how to make payment with the guarantee that if payment is made, you will receive a key to unlock your precious files.

What can you do? Your mind is racing. How can this happen?!?! Your heart rate is increasing rapidly! Put down that coffee… take a few deep breaths. This represents anything from an irritating interruption to a disaster of epic proportions. What you have done up to this point will determine the impact of this event.

If you have good backups, this represents a minor inconvenience. If you don’t have backups at all … you will have to decide if you’re going to count your losses and move forward or consider paying the Ransom. After all, there is honor among thieves … or is there???

How can you avoid being in this situation?

There are several things that can be done before you are in this situation to “reduce your surface of vulnerability” and to recover without great loss.

    1. Backup your data.
      Good backups cure many woes. You may not use your backups for months or even years, but when the need arises, you want to be sure you can recover to a point where you can feel whole again.
    2. Purchase Advanced AntiVirus and AntiMalware and keep it up to date.
      Many of todays Advanced AntiVirus/AntiMalware programs will monitor your system for behavior that looks like ransomware at work and shut it down before it gets too far. Some will not.
    3. Do not open attachments or click on links in the email from unknown sources.
      If you need to open attachments, scan them for malware first. Many people are fooled by Human Engineered emails that “look” legitimate but have attachments or links that are masked in some clever way.
    4. Limit user access to data they need.
      Although this doesn’t help with avoidance, it will certainly help to minimize the impact if it happens. If everyone has access to everything, that means if one person becomes infected, they have the capability to cause encryption of ALL data they can see.
    5. Train your staff on proper Business Security Best Practices and to be aware and vigilant. If your data is important to your business, it needs to be handled as such.

 

 

 

There are other “Best Practices” that can be employed to safeguard your data and business. Take a proactive approach and avoid the reactive. In the long run, the reactive approach will cost much more in time, money, and grief. Give Bryley Systems a call (844.449.8770) to discuss what you can do to improve your overall security, efficiency, and cost … and enjoy that coffee!

Data Theft – What Happens When an Employee Leaves your Company?

Let’s start with the premise that company data belongs to the company, not to the employee.

When an employee leaves a company, whether voluntarily or involuntarily, it is quite common for sensitive and confidential data to disappear.

While most employees will leave their jobs voluntarily, there are always involuntary terminations such as a reduction in workforce, or, a termination based upon poor performance reviews. The problem from a security standpoint is that it is very common for these folks to take sensitive and confidential data with them, perhaps accidentally, but perhaps intentionally.

Just stop for a moment to consider all of the data that your employees have access to: various types of intellectual property, price lists, customer and key account information, financial data, sensitive HR material, marketing plans, sales data, competitive intelligence, product and manufacturing plans, databases, software programs. All of which belong to the employer.

As a business owner, you may be asking yourself why people would take data with them.

Accidental. In a world filled with so many devices, cloud storage, mobile apps, and cloud applications, a departing employee may leave with a lot of corporate data and not even remember or realize that they still have it in their possession. Since so many employees work from home, corporate data will often end up on a personal laptop, desktop, USB stick, phone, or in a shared file.

Entitlement. An employee who has worked on key client relationships or perhaps is leaving an organization that is struggling financially, won’t always feel like the data belongs to the organization. In fact, these people may think that they’re justified in taking the data with them, and that it really belongs to them. This issue is most common and kept common by the mere fact that corporate data protection policies aren’t always strictly enforced, especially in smaller organizations.

Malicious Intent. Some employees may be angry because of a layoff or other involuntary termination. Others may not have gained a promotion they felt they deserved. Some may have a personal dispute with upper management or with their supervisor. Then there are those who feel they will have a lot to gain by bringing this information to their next employer. While this may be less common, it will likely prove to be the most destructive scenario.

What are the consequences of an employee leaving with proprietary information? Whether it’s by mistake, or maliciously, the worst case scenario is that it has the potential to put an organization out of business.

The best way to protect your organization is to be proactive by establishing and enforcing a set of best practices.

  • Organizations must maintain complete, ongoing visibility into sensitive data wherever such data is stored.
  • All sensitive and confidential data should be encrypted.
  • Email should be archived.
  • Require appropriate authentication for sensitive data. Creating policies that will alert or require approval will keep data safe.
  • Limit and manage employee access by department, role, and function. Limit access only to content that is needed to get the job done. For example, an IT person does not need unlimited access to HR files, nor does a financial person necessarily need complete access to the CRM system.
  • Ensure a proper backup and recovery policy. All data should be backed up to a central or accessible location. A recovery plan should be in place should an employee maliciously change or delete data.
  • Develop a policy for the proper use of email and company-owned devices. Employees should be trained on these policies and asked to sign an acknowledgement form.
  • Train management properly so that when an employee leaves, the exit process is handled professionally to prevent both inadvertent and malicious loss of data.
  • Do not allow employees to install their own applications, mobile apps, etc. as this will open up the organization to malware and ransomware. The IT department should always handle the installation of applications.
  • Develop a policy around BYOD (Bring Your Own Device) to ensure that personal devices are properly secured.

You can protect your organization to minimize, if not eliminate, the threat of sensitive and confidential information theft. Create corporate policies focused on appropriate employee management of data. Establish processes designed to control employee use of data. Deploy technology solutions that will keep corporate data safe.

If you’re ready to protect your organization, it pays to work with a Managed IT Services/Managed Cloud Services company, like Bryley Systems, to ensure that you’re taking the right steps. Bryley will recommend solutions to eliminate weak links in your security chain, and help you develop an organization-wide policy to help prevent data loss.

Please contact us at 978.562.6077 or by email at ITExperts@Bryley.com. We’re here to help.

The Value of an MSP Relationship

IT professionals working for an organization are seeing the value of a Managed IT Service Provider (MSP) relationship as more positive than ever before. In fact, most organizations who use MSPs typically maintain an IT staff of their own to work together with their MSP.

There are numerous advantages of having a valued MSP.

One-Time Events are Less Costly and Stressful. Upgrades or installations are often frus­trating because the organization has to go to great expense to send people to training and oftentimes, it is training they’ll only use once. MSPs who have already performed those installations or upgrades can of­ten be swapped into place to execute those tasks which in the long run, saves your organization both time and money.

You are Less Likely to be Short-Handed. Whenever an assigned MSP professional is out for any reason, they are replaced by an equally skilled colleague who has been briefed and trained on your organization’s IT environment. Substitutes can quickly fill in the way you expect them to.

Reliability and Accountability. No longer will a single individual be held responsible for any specific situation. The MSP will own the obligation to resolve any issue quickly and thoroughly. Your regular IT staff can also easily be backfilled in the event of an emergency situation which will reduce stress and the likelihood that a project may not be completed in the event of a regular staff member being ill or having an emergency.

Broader Selection of Skills. Sometimes getting certain IT tasks accomplished requires skills that none of the IT personnel assigned to the company have. In these cases, the MSP can temporar­ily replace assigned personnel with others who do have those needed skills, therefore relieving the pressure to engage a “specialist” to get unusual tasks handled.

Increased Agility. New technologies can be deployed and the value of that technology is appreciated much more rapidly because there is little to no learning curve for employees. When the MSP can fill in the gaps between standard operating procedures and emerging new needs.

Focus on Growth. Often, when compa­nies are growing quickly, they are challenged to find and acquire qualified IT employees to accommodate that growth. This often results in rushing and settling for less-than-ideal candidates. Bringing in additional MSP resources shifts that daunting task to a partner who is far better equipped and qualified to provide the right people with the right skills to keep the company growing.

Technology Decisions Become Independent of HR Issues. Suddenly your organization is free to make major revisions to their chosen platforms without regard for the need to terminate a lot of employees. Instead, you can simply require the MSP to furnish people with the new skill sets.

The supplemental role of your MSP can make many tasks easier when it comes to tactical line employees and their functions.

What happens when something goes wrong near the top of the or­ganization?

For example, what would happen if an executive suddenly left the company? Maybe it’s the CIO who suddenly resigns to go work for a competitor. Or, perhaps the CTO stole valuable customer data and was fired. Scenarios like these examples can leave a gaping hole at the top of an organiza­tion. Who would fill that gap? How quickly can a new CTO or CIO be re­cruited and hired? How long would it take for them to understand the current state of your corporate IT?

A senior engineer at your MSP who has been working with you on your infrastructure can easily and readily step in. They already have a working knowledge of your tech­nology environment, having probably participated in designing much of it. They have the proper skills and experience, along with the full support of the entire MSP team.

In several cases, MSP specialists have been called upon to take con­trol of an IT environment, change all the passwords, lock the offend­ing executive out of all systems and help to escort them out of the company. Usually this senior MSP replacement executive will remain in place until a viable replacement is found, recruited, hired, and trained.

Every employer wants to do their best for the employees that do their best to promote the organization’s growth and success. For those who have thought about bringing in an MSP to reduce IT costs, this has often been a primary concern.

Many high-value employees who were becoming bored in their daily maintenance and support routines have been given new opportuni­ties which have enabled them to make dramatically greater contribu­tions to the company, thus also furthering their own careers.

The role of the MSP in today’s progressive organization is supplemental, and complementary. No longer are MSPs considered vendors who provide ‘bodies’ to perform tasks.

Bryley Systems prides itself on being a truly valued partner to our clients, who engage us to work side-by-side with them and their people to grow their organizations.

Bryley Systems has 30 years of experience taking the worry off of our clients’ shoulders and effectively managing IT environments at a predictable cost. For more information about Bryley’s full array of Managed IT Services, please contact us at 978.562.6077 or by email at ITExperts@Bryley.com. We’re here for you. 

Sources and References:
https://www.nytimes.com
https://www.researchgate.net
https://www.bsminfo.com
http://www.toptechnews.comhttps://www.cnet.com

Have You Ever Used a Public Cell Phone Charging Station? If so, read on…

Beware!

Free charging stations are located in many public places such as bus stations, airports, cafes, hotels and conference centers. If you travel frequently, it is very convenient to give your cell phone battery power a quick boost. But connecting to an unknown port has its risks.

A technique used by hackers called “video jacking” is when a USB cord is rigged to capture the smartphone’s video display and record everything that appears on the screen.

Plugging your phone into a hacked power strip or charger can open your device to infection and compromise all of your data. Once a port is compromised, there is no limit to what a hacker can steal. Your email, photos, videos, contact information, text messages, bank passwords and PIN numbers will all be vulnerable.

Hackers can find all the tools they need online, and for just a couple of hundred dollars. They will use their custom electronics hidden in a faux USB charging station. The person who is using the charging station believes it’s authentic, and will connect their phone to the correct charging cord. Then, while the phone is connected, the “charging station” mirrors your screen and records everything that you can see on your screen. And then, in a matter of minutes, the damage is done. If you have an Android or any HDMI ready smartphone, you are vulnerable. If you have an iPhone, you’re not safe either.

So, the best advice for those of you who cannot live without your phone?

Security experts advise never to use public outlets — instead, invest in a portable USB battery pack. You can also buy USB cords that don’t have wires to transmit data, thereby preventing a hacker from accessing your phone’s information.

Be prepared. The risk just simply isn’t worth it.

Be Aware! Avoid Phishing Scams During Tax Season

Let’s face it, tax season is stressful enough without having to contend with increasingly common and sophisticated tax scams. It certainly can be a headache to prepare your taxes, but falling for a tax scam could make it a nightmare.

The world is full of people who are ready and willing to take advantage of someone when they’re vulnerable. Tax scams contain new forms of fraudulence being discovered every day, but the most prevalent by far is the email phishing scam.

The Definition of Phishing. It is the attempt to obtain sensitive information such as usernames, passwords, and credit card details (and, indirectly, money), often for malicious reasons, by disguising as a trustworthy entity in an electronic communication.

Phishing scams are easy to accomplish and can be done from home. A typical phishing email during tax season will bear similar (or sometimes identical) IRS letterhead or logos and will instruct you to follow a link that will lead you to, you guessed it, a site that requests your personal information. Some individuals are too quick to trust a logo or letterhead and forget to check the validity of an email/site before divulging their personal information.

In recent years, thousands of people have lost millions of dollars and their personal information to tax scams and fake IRS communication. Scammers use the regular mail, telephone, fax or email to set up their victims.

Knowledge is Power! Remember that the IRS doesn’t initiate contact with taxpayers by email, text messages or social media channels to request personal or financial information. In addition, the IRS does not threaten taxpayers with lawsuits, imprisonment or other enforcement action. Recognizing these telltale signs of a phishing or tax scam could save you from becoming a victim.

Last-Minute Email Scams. The IRS, state tax agencies and the tax industry urges taxpayers to be on guard against suspicious activity, especially email scams requesting last-minute deposit changes for refunds or account updates.

  • Learn to recognize phishing emails, calls or texts that pose as banks, credit card companies, tax software providers or even the IRS. They generally urge you to give up sensitive data such as passwords, Social Security numbers and bank or credit card accounts. Never provide your private information!
  • If you receive suspicious emails forward them to phishing@irs.gov. Never open an attachment or link from an unknown or suspicious source!

IRS-Impersonation Telephone Scams. “An aggressive and sophisticated phone scam targeting taxpayers has been making the rounds throughout the country. Callers claim to be employees of the IRS, using fake names and bogus IRS identification badge numbers. They may know a lot about their targets, and they usually alter the caller ID to make it look like the IRS is calling.

Victims are told they owe money to the IRS and it must be paid promptly through a pre-loaded debit card or wire transfer. Victims may be threatened with arrest, deportation or suspension of a business or driver’s license. In many cases, the caller becomes hostile and insulting. Or, victims may be told they have a refund due to try to trick them into sharing private information. If the phone isn’t answered, the scammers often leave an “urgent” callback request.”1

The IRS will never:

  • Call to demand immediate payment using a specific payment method such as a prepaid debit card, gift card or wire transfer. Generally, the IRS will first mail you a bill if you owe any taxes.
  • Threaten to immediately bring in local police or other law-enforcement groups to have you arrested for not paying.
  • Demand that you pay taxes without giving you the opportunity to question or appeal the amount they say you owe.
  • Ask for credit or debit card numbers over the phone.

Remember: Scammers Change Tactics — Aggressive and threatening phone calls by criminals impersonating IRS agents remain a major threat to taxpayers, but variations of the IRS impersonation scam continue year-round and they tend to peak when scammers find prime opportunities to strike.

Interested in more security news? 

Sign up for our monthly newsletter to receive the latest cybersecurity updates right in your inbox!

Newsletter Signup

Surge in Email, Phishing and Malware Schemes. “When identity theft takes place over the web (email), it is called phishing. The IRS saw an approximate 400 percent surge in phishing and malware incidents in the 2016 tax season. The IRS has issued several alerts about the fraudulent use of the IRS name or logo by scammers trying to gain access to consumers’ financial information to steal their identity and assets.

Scam emails are designed to trick taxpayers into thinking these are official communications from the IRS or others in the tax industry, including tax software companies. These phishing schemes may seek information related to refunds, filing status, confirming personal information, ordering transcripts and verifying PIN information.

Variations of these scams can be seen via text messages. The IRS is aware of email phishing scams that include links to bogus web sites intended to mirror the official IRS web site. These emails contain the direction “you are to update your IRS e-file immediately.” The emails mention USA.gov and IRSgov (without a dot between “IRS” and “gov”), though not IRS.gov (with a dot). These emails are not from the IRS. The sites may ask for information used to file false tax returns or they may carry malware, which can infect computers and allow criminals to access your files or track your keystrokes to gain information.”

For more details, see:

Unsolicited email claiming to be from the IRS, or from a related component such as EFTPS, should be reported to the IRS at phishing@irs.gov.

Tax Refund Scam Artists Posing as Taxpayer Advocacy Panel. “Some taxpayers may receive emails that appear to be from the Taxpayer Advocacy Panel (TAP) about a tax refund. These emails are a phishing scam, where unsolicited emails try to trick victims into providing personal and financial information. Do not respond or click any link. If you receive this scam, please forward it to phishing@irs.gov and note that it seems to be a scam email phishing for your information.

 TAP is a volunteer board that advises the IRS on systemic issues affecting taxpayers. It never requests, and does not have access to, any taxpayer’s personal and financial information.

How to Report Tax-Related Schemes, Scams, Identity Theft and Fraud. To report tax-related illegal activities, you should report instances of IRS-related phishing attempts and fraud to the Treasury Inspector General for Tax Administration at 800-366-4484.”3

Additional Scam-Related Information:

 If you suspect you are a victim, contact the IRS Identity Theft Protection Specialized Unit at 800-908-4490. When reporting to the IRS, you will need to:

  1. Send a copy of an IRS ID Theft Affidavit Form 14039 – download the form here: www.irs.gov/pub/irs-pdf/f14039.pdf.
  2. Send a proof of your identity, such as a copy of your Social Security card, driver’s license or passport.

After doing that, make sure to:

  • Update your files with records of any calls you made or letters you sent to the IRS
  • Put a fraud alert on your credit reports and order copies of your credit reports to review any other possible damage
  • Create an Identity Theft Report by filing an identity theft complaint with the FTC and a police report

 

Sources and References:

1 http://www.vanderbloemengroup.com/articles/irs-impersonation-telephone-scam

2 http://www.irs.gov

3 http://www.irs.gov

http://usa.gov/business-taxes

http://www.aarp.org

https://www.taxadmin.org/

https://treasury.gov/tigta/

 

 

Bryley Receives Prestigious Channel Partners 360° Award!

April 11, 2017 — Bryley Systems is pleased to announce that it has been honored by Channel Partners, with the 2017 Channel Partners 360° Business Value Award.  We are one of only 25 technology-oriented companies worldwide to receive this award, which is one of the most sought-after in the industry.

This award honors service providers that are taking a holistic approach to technology solutions and creating business value for their clients and have a well-rounded portfolio.  Channel Partners started “as a simple idea to reward partners of all sizes for creating business value for their customers through telecom, IT, and cloud solutions…” and “rewards channel partners – agents, VARs, dealers, system integrators, MSPs and consultants – of all sizes for innovation, solutions-orientation and customer focus.”

Bryley’s President, Gavin Livingstone and co-owner, Cathy Livingstone, were on hand to accept the award stating “Bryley Systems works toward continuous improvement; we strive to manage, optimize, and secure our client’s information technology, which brings substantial business benefit and value to their organizations. Our team-focused, best-practices-oriented approach, coupled with high-value/low-risk service options, enables us to provide our clients with Dependable IT at a Predictable Cost™.

We thank Channel Partners for this prestigious Channel Partners 360° award!”

Award recipients were honored at a ceremony on April 11 at the Channel Partners Conference & Expo in Las Vegas.

Sharing Files? Be Cautious.

Let caution be your watchword.

More and more organizations are moving to the cloud. And that’s great because it allows your employees to share files easily and efficiently. However, no matter how convenient this technology is, business owners and employees alike should be aware of a few basic security risks and counter-measures.

Employees must clearly understand what type of information can be shared and what storage mediums are eligible for each category of information. This approach will enable companies to establish a consistent and manageable process as it relates to the secure use, access, and storage of company information.

Beware the Password! Most cloud services provide users with their own accounts. Generally, employees select their own passwords. What will stand between a hacker and the content of those files is a password. It is very important for employees to select a “strong” password. (View one of our recent blogs – Do’s and Don’ts of Password Security). Passwords should be changed periodically. This can be set automatically through most databases and ensures that employees don’t use duplicate passwords.

Do You Have Remote Users? Any computer or device that accesses company data should be considered a risk access point. Be sure that all devices are protected with security updates and patches. All these access points should have anti-virus / anti-malware protection as well. If you have employees who travel frequently, they may be using public Wi-Fi connections. Be sure that employees understand that if their devices are being used to send and receive files in the cloud, their data may be at risk, if unprotected.

How Secure is Your Cloud Service Provider? It is important to know whether the service provider can see your data.

  • If so, does the provider have controls in place to avoid sending, copying, or e-mailing your valuable data?
  • You also need to ask your cloud service provider what their data-protection policy is, and what the audit procedures are. Then, you should perform your own due diligence on those procedures.
  • What happens in the event of data corruption? Are there proper backups, and how far back do the backups go?

Evaluate Your Security Policies

Evaluate your security measures regularly to be sure they are doing the job. Circumstances change, equipment and software become outdated, and people make mistakes. As a result, effective security is dynamic, and requires monitoring and updating.

To inquire about Bryley’s full array of Managed Cloud Services and Managed IT Services, please contact us by phone at 844.449.8770 or by email at ITExperts@Bryley.com. We’re here for you.

 

Sign Up for BITs

Looking for more technology news? Sign up for Bryley Information and Tips (BITs), our monthly newsletter, and stay up to date on this fast paced industry.

Cathy and Gavin Livingstone judge at MHS SE Fair!

Cathy and Gavin Livingstone, joint-owners of Bryley Systems Inc., were again judges at the Marlboro High School Science and Engineering Fair on Tuesday, February 28. (The MHS SE Fair is a well-run, annual event that provides support and encouragement of student research, inquiry, and design.)

Cathy is pictured with Kimberly Konar and Amanda Cameron (aka The Bottle Girls), who presented BioPlastic: An Alternative to Environmentally Destructive Polymers. Kimberly and Amanda were third-place winners.

Winners go to the upcoming Worcester Regional Science and Engineer Fair and, if successful, on to the Massachusetts State Science & Engineering Fair.

IT Security Cheat-Sheet

All organizations are at risk of a breach in IT security, whether externally (by a party outside the organization’s computer network) or internally (by a person connected to the organization’s computer network); studies show that even small companies are targeted externally, primarily because they are more vulnerable than larger organizations who can dedicate resources to combat external threats.

Organizations take great efforts to secure their data; they have firewalls, spam blockers, anti-malware applications, intrusion detection, etc.  However, the greatest threat comes from within:  End-users often inadvertently introduce malware (via web browsing or email-attachment clicking), which can spread across the network or attack confidential data.

Effective IT security requires a layered approach; it is comprised of multiple solutions at different points-of-entry and areas of concern.  It must be setup properly, but must also be continually monitored and then updated as appropriate.  Security should be periodically reviewed by an IT expert and, if budget permits, tested to ensure what is expected is what is received.

Effective IT security also requires ongoing training for all users and monitoring and enforcement of usage policies.

For an overview on IT security, I recommend viewing Ivan Dimitrijevics’ 10 Ways to Secure Your Small Business and Prevent Data Breach in The Globe and Mail.

Here is our checklist, organized by security concern:

1.) Computer Network:

  1. Deploy, update, and monitor stand-alone firewall(s) between all external networks (IE: Internet) and the organization’s network.
  2. Deploy, update, and monitor an email/spam-protection capability.
  3. Deploy, update, and monitor an event-log management capability.
  4. Deploy, update, and monitor intrusion-prevention/detection capability.
  5. Lock-down wireless access points.

The first line-of-defense from external threats is a professional-grade, stand-alone firewall configured to refuse unwanted traffic from external sources while permitting only desirable connections.  It should be supplemented with email/spam protection; either as a Cloud-based service or via an internal appliance.  Event-log management and intrusion prevention/detection are also available either as a service or appliance; both are recommended, but budget versus benefits must be considered.

Enable Service Set Identifier (SSID) for internal-use wireless access points

2.) Servers, their operating systems, and their applications:

  1. Test and then install all recommended security patches/firmware updates.
  2. Manage operating system and application security-updates continually.
  3. Deploy, update, and monitor anti-malware application on all servers.
  4. Monitor continuously and review periodically for anomalies.

Servers, whether in-house or Cloud-based, contain not only valuable data, but also end-user information (usernames, passwords, profiles, etc.) that can be manipulated and used to infiltrate.  They, their operating systems, and server-based applications, must be aggressively patched, protected through anti-malware, and monitored continuously.

Anomalies in performance and event logs can highlight potential security risks; both should be reviewed periodically.

3.) Data:

  1. Identify at-risk data and its location; keep only what you need.
  2. Outsource payment processing to a reliable, third-party partner.
  3. Verify security of vendors and partners with access to your data
  4. Where performance permits; encrypt data at-rest and in-motion.
  5. Deploy an encrypted backup solution with onsite and offsite storage.

Company data should be classified as to its value and stored accordingly.  It is best always encrypted, although many organizations might not have the processing power to permit such.

Rather than process payments onsite, many third-party vendors provide this service, but they should be verified before engaging.

Data backups should be encrypted and follow the 3-2-1 rule for reliability:

  • Three copies of important data
  • Two different media types
  • One copy offsite

4.) End-user devices, operating systems, and applications:

  1. Manage operating system and application security-updates continually.
  2. Deploy, monitor, and update anti-malware app(s) on all end-user devices.
  3. Test and install security-required firmware updates to end-user devices.

End-user devices are a primary target; they are difficult to secure and change continually.  However, end-user tools also share some blame:  Karen A. Frenkel of CIO Insight writes in “How Malware Bypasses Detection Tools” that 81% of IT professionals believe that web-browser-initiated malware can remain undetected by security tools and that the primary attack vector is an insecure web browser.

End-user devices, their operating systems and their applications must also be aggressively patched, protected through anti-malware, and monitored continuously.

Occasionally, a manufacturer will issue an alert for a security-required update to an end-user device, which should be applied as soon as possible.

5.) Usage:

  1. Lock-down user rights to restrict data access to as-needed basis.
  2. Require complex passwords with forced, periodic changes.
  3. Enforce periodic time-outs when computer is left unattended.
  4. Separate social-media browsing from financial-data handling.
  5. Require two-factor authentication for all online transactions.
  6. Create end-user policy detailing appropriate Internet use.
  7. Create end-user policy on how-to protect sensitive data.
  8. Enable web-monitoring capability to enforce policies.
  9. Protect email via encryption (as needed).

Data should be restricted, preferably by need-to-know.  (Crypto Locker can initially only attack data available to the end-user introducing this virus.)  Complex passwords with periodic changes can restrict untrusted access while forced time-outs keep private information from unwanted eyes.

Setup a separate login account or device for access to financial-data.  All online financial transactions must have two-factor authentication.

Policies should exist to inform end-users; they can be enforced through web-monitoring solutions.

Sensitive emails should be encrypted (via a service or appliance) while sensitive documents can be transferred via a secure FTP site.

6.) Training:

  1. Define an organization’s best practices for IT security.
  2. Demonstrate how to spot an unwanted ad while browsing.
  3. Train users how to verify a website link (before clicking it).
  4. Show how to verify an email attachment (before opening it).
  5. Train users to check the address of an email’s sender/source.

Data breaches occur due to the inadvertent introduction of malware, sometimes through the failure to comply with policies designed to limit inappropriate behavior, but often through a lack of IT-security knowledge and training.

The more training, the better.  Initial training should be acknowledged by the recipient and then tested for knowledge gained.  Security training should be repeated periodically; preferably at least annually.

7.) Maintain a Written Information Security Plan (WISP):

  1. Assign a responsible person.
  2. Define and announce the WISP.
  3. Review WISP periodically (at least annually).
  4. Document changes to WISP when they occur.
  5. Periodically test, assess, and rework policies and procedures.

The Commonwealth of Massachusetts, under statute 201 CMR 17.00, requires a WISP for all organizations that hold personal information on any Massachusetts resident.  The WISP must be assigned to an Information Security Manager, periodically reviewed, and changes must be documented.  All WISP policies and procedures must be periodically tested, assessed, and reworked as needed to ensure maximum, ongoing protection.

If you would like to improve your 2017 cybersecurity plan, or to inquire about Bryley’s full array of our Managed Cloud Services and Managed IT Services, please contact us at 844.449.8770 or by email at ITExperts@Bryley.com. We’re here for you.