Recommended practices – Part 2: Web browsing/Internet usage

This is a multi-part series on recommended practices for organizations and their end-users.  Additional parts will be included in upcoming newsletters.

End-users browse the web; it’s usually the fastest way to get an answer, search for an item, or make a purchase.  But, browsing comes with some risks:

  • Potential liability from browsing ill-advised sites at work
  • Inadvertent or unintentional download of malicious software
  • Waste of company resources: Internet bandwidth, employee time, etc.

To reduce browsing risks, we recommend have these recommendations:

  • Set an Internet usage policy
  • Monitor and enforce browsing behavior
  • Train staff members on safe-browsing habits

A fourth recommendation, configure and patch/update end-point components (operating system, anti-malware software, Internet browser, etc.), will be covered in future articles.

Set an Internet usage policy

Unless we know what is acceptable, how can it be enforced?  Some organizations, to limit unproductive time, might restrict access to social-media sites (Facebook, Twitter, etc.), while others (police investigators) may need access to pornographic sites; without a policy, what sites do we monitor and restrict and for whom?

An Internet usage policy should define the dos and don’ts of Internet access; it should be included in the Employee Handbook with a sign-off acknowledgement and should also note that the organization reserves the right to monitor and limit this usage, without restriction.  (See a simple Sample Internet usage policy fromGFI.  Or, review an in-depth Internet usage Policy from the SANs Institute.)

Monitor and enforce browsing behavior

Paul Wood of Symantec™ studied browsing habits of end-users with these findings1:

  • About one-third of users followed the organization’s Internet-use policy,
  • The second one-third generated less than 10% of browsing violations, and
  • The final one-third had over 90% of browsing violations; about 20% of this group actually had more violations than legitimate usage.

Basically, about 66% of end-users follow an organization’s Internet usage policy most or all of the time, but there is a small group that abuses this policy, which suggests that enforcement efforts should focus on the abusers.

To protect an organization, basic monitoring and enforcement of Internet usage is recommended; a typical monitoring/enforcement software application for small to mid-sized organizations should provide, at a minimum, these capabilities:

  • Cluster related sites together (ie: gaming, sports) to set policy by site-groups
  • Combine users by department or functional area to enable group restrictions
  • Whitelist specific sites (or site-groups) to permit unlimited access
  • Blacklist specific sites (or site-groups) to prohibit access

Once deployed, you must continually review the results to inspect what you expect.

Example:  Bryley Systems offers our Secure Network™; an onsite, Unified Threat Management (UTM) tool with monitoring and enforcement of web browsing.  The results are periodically reviewed and reported by Bryley Systems to the client.

Train on safe-browsing habits

It is important that staff know and understand the importance of an organizations’ Internet usage policy; they have a significant role to play in this effort.

Basic rule is to not click on any site that you do not trust.  However, even some trustworthy sites can be hijacked and route an unsuspecting user to an unintended site with unexpected consequences.

Some browsing tips2:

  • Do not click on pop-ups
  • Do not open links within spam email
  • Check a site’s actual address in the address bar; this address should always match the expected site-name (URL)
  • When in doubt, shout it out (call for help)

There are also many online, security-training options; we offer a video-training package on a per-user basis through our business partner, Deadbolt Security.

REFERENCES:

  1. See Paul Wood’s article “Employee browsing habits, the good, the bad, and the ugly” at Symantec Intelligence.
  2. Dylan Herix offers “An idiot’s guide to good browsing habits” at AppStorm Guide.

 Winner of our business-card raffle at the Central Mass Business Expo (CMBE)

Congratulations to Maureen Raillo, CEO at W Limousine in West Boylston, MA!

Maureen_Beats Audio Winner_web

Maureen won a Beats Pill™, and a Beats Pill character stand.  (Beats Pill is a lightweight, portable, and wireless speaker that lets you bring music wherever you go; combined with the character stand, the value is over $250.)

Bryley Basics: Get ready for USB Type C

USB (Universal Serial Bus) has been part of the computer world since 1998; it typically connects peripherals (printers, scanners, cameras, etc.) to computers.

A new USB cable, USB Type C, should hit the shelves next year.  It will use the USB 3.1 standard, which is backward-compatible with USB 3.0 and USB 2.0 and permits data transfer at up to 10Gbps.

USB Type C will have these features:

  • Smaller connector ports at 8.44mm by 2.6mm
  • Connectors are the same on both sides of the cable (allowing cable reversal)

For details, please visit Dong Ngo’s write-up “USB Type-C: One cable to connect them all” from August 22nd, 2014 on CNet or see Steven Shanklan’s article “Meet the next-gen USB cable that could sweep away all others in the April 1st, 2014 write-up on CNet.

Why do organizations ignore information (cyber) security?

I read an interesting article by Don Jones of Redmond Magazine titled: “The Quest for a Culture of Security”.  In it, Mr. Jones notes (via my paraphrasing):

  • Security gets limited attention and even less funding from decision makers
  • Security hacking has become a profession with significant financial rewards
  • Every company is a target and has been, at a minimum, probed by hackers

In 2010, I witnessed the first item above when Bryley Systems hosted a series of seminars on the (then) new Massachusetts statute for the protection of personal information (201 CMR 17.00); people attended the seminars and took the first steps toward compliance, but most ignored the difficult changes and few made security (and compliance) part of their corporate structure.

Mr. Jones’ suggestion:  Ingrain security into your corporate culture; make it as important as uptime and connectivity and make it a fundamental part of everything you do.

Lynn Russo Whylly, in her May 14th 2014 article “How to Prevent Becoming the Next “Target” of a Data Security Breach” from Chief Executive, recommends:

  • Discuss security with your CIO or MSP regularly (to highlight its importance).
  • Walk-through the data center (to pose questions about its vulnerabilities).
  • Setup security goals and then monitor metrics (to inspect what you expect).
  • Hire an outside person/firm to attack your security (and highlight its flaws).

Her position is that security is a part of the CEO’s responsibility; one of continually growing importance.

Recommended practices – Part-1: Storage of unstructured data

This is a part one of a multi-part series on recommended practices for organizations and their end-users. Additional parts will be in upcoming newsletters.

Organizations create and consume data constantly, but not all have formal policies or practices that define the value of this data and restrict its amount and location.

Quality is difficult to define and even tougher to enforce; some departments and users save items solely for convenience, even though its value is minimal, while others consider everything they have ever said or done, even 20 years ago, to be worthy of permanent storage. Basically, there is no point to storing unstructured data (MS Office documents, PDFs, etc.) unless it has value to the organization; however, if you must store it, choose a method that allows some type of classification (like SharePoint with its searchable repository of metadata).1

Rather than try to enforce quality standards, many organizations impose limitations on the amount of data stored (since this can be controlled and monitored)2: Even though disk space is relatively inexpensive, backup, data-management, and data-security costs increase as data grows. Quotas also impose discipline; setting a quota allows the organization to get a picture of storage needs by individuals and by departments or functional groups. Quotas can also be adjusted as needed.

There are tools that manage unstructured data via audit/access controls and monitor via usage patterns; these are targeted (and priced) for enterprise-class organizations, but are moving downstream within the reach of more organizations. There are less-expensive tools (and policies included within Active Directory) that limit storage-space usage; limits are usually set by user or by department.

Finally, organizations traditionally assume, and try to enforce, that end-users save and store company data only at designated locations of on-premise equipment (drives mapped to servers, storage arrays, Network Attached Storage, etc.) or at authorized, Cloud-based storage locations; the idea is to save and secure company data where it will receive proper backup, security, and vetting. Saving company data onto personal computers, tablets, and mobile phones, where it might not receive regular backups and is more vulnerable to loss or theft, is discouraged.

The best place to start is to create a clear, unambiguous policy on the storage of company data with these guidelines:

Define what data should be kept and for how long
Define storage-amount limitations and enforcement
Define acceptable storage locations
Define responsibilities for retention
Once defined, processes can be created and tools can be acquired to manage and monitor this policy.

Our recommendations for storage locations:

Remove all data from end-user devices (laptops, mobile devices, etc.).
Map a Home folder for each end-user and restrict its rights to that user.
Move the end-user My documents folder to their respective Home folder.
Deploy a document-collaboration utility (like SharePoint or Google Docs) or create a Shared folder with appropriate subfolders to manage your shared, unstructured data.
Restrict shared access by department or functional group.
Our recommendations for storage management:

Define policies within Active Directory to limit storage space (as needed).
Archive older, infrequently-used data to less-expensive storage.
Monitor usage on a regular basis.
1. Visit “My ongoing rant about unstructured end user data storage”.

2. See Alan Radding’s excellent and relevant article “Keep end-user storage under control” at TechTarget and originally from Storage magazine in November 2006.

Bryley exhibits at the Central Mass Business Expo

Bryley Systems exhibited in the Technology Pavilion at the Central Mass Business Expo on September 8th, which was held at the DCU Center in Worcester, MA.

Pictured in our booth is Anna ; Account Executive at Bryley Systems.

adExp

Anna D. achieves VMware Sales Professional certification

Congratulations to Anna who completed the significant training and testing to become certified as a VMware Sales Professional.

VMware is the global leader in virtualization and a key partner of Bryley Systems. A certified VMware Sales Professional has general knowledge in VMware products and business practices.

Anna has been with Bryley since 2010. She moved to the Sales team in 2012.

vmWareSalesProf

Summer Fun!

The weather cooperated as Bryley’s summer outing on Sunset Lake in Ashburnham was sunny, warm, and dry. The menu included standard-issue, summer-cookout fare with hamburgers, hot dogs, veggie burgers, salads, and desserts; plenty of desserts. Bryley also hosted SwiftecIT and other friends; daylight fishing and pontoon-boat rides (pictured) gave way to roasting marshmallows around the evening campfire.

Boating at the Bryley Summer Outing

We Have A Winner!

Congratulations to Geary at USI!  You’ve won the drawing for “Roy’s Almost 20th!”

For those who may have missed the news, Roy Pacitto, our Director of Sales, has been an employee at Bryley Systems for nearly 20 years!  Since we tend to get excited about this sort of thing, we decided to have a little celebration in honor of his many years of service, only to realize that Roy hadn’t actually finished his 20th year yet.  By this point, however, the drinks were already open, the cake was already out, and we were already assembled, so we decided to go ahead and celebrate Roy’s (almost) 20th anyway.

It was about this time that we made another realization.  Over the past (almost) 20 years, Roy has come to know a lot of people, and we wanted to get all of you in on the celebration as well.  As a result, we put together a little contest in which we hid an image of Roy’s (almost) 20th cake somewhere on our website, and those who found it were entered in a chance to win a $35.00 gift card.

To make a long story short, the contest is over and Geary is our lucky winner!  We hope that you will all join us in congratulating Geary and Roy in their respective achievements.

Bryley Basics: Encrypt your iPhone

iPhones, versions 3GS and later, offer hardware encryption; it is activated through the data-protection feature by enabling a passcode:

  • Tap Settings > General > Passcode.
  • Follow the prompts to create a passcode.
  • After the passcode is set, scroll down to the bottom of the screen and verify that “Data protection is enabled” is visible.

Note: Your encryption protection is only as good as the passcode; try to make this difficult to guess and keep it hidden.

You should also encrypt your backup for added security.  Check the “encrypt local backup” in iTunes if you back up to your computer.  If you back up to iCloud it is automatically encrypted, but be sure you have a really good iCloud passcode.