6 Ransomware Trends All Employees Should Watch For in 2021

Ransomware is an ever-present and worsening problem in today’s society. It’s crucial to stay abreast of related trends, regardless of a person’s role or rank within a company. Here are six ransomware trends to consider sharing with your employees. 

1. Decision-Makers Paying the Ransom and Not Getting Results

Ransomware happens when cybercriminals gain access to files and encrypt them, then demand that the victim pay to get the data back. A recent report from Mimecast indicated that 52% of affected parties paid the amounts. However, only 66% of the entities in that segment recovered the data. Another 34% didn’t get any of it back, even though they paid the ransom.
Understandably, some people under pressure in desperate situations would opt to pay the ransom and hope for the best. However, you can decrypt your files for free with online tools, provided you know what kind of ransomware affected the system. Becoming familiar with those options is a smart thing to do in case you ever need the knowledge later.

2. Ransomware Volume Continues Growing

Unfortunately, with ransomware, you can safeguard a system against a few types and stay in the clear. Hackers regularly develop new, more damaging kinds, trying to always stay ahead of any defensive measures their targets might take.
Cybersecurity researchers at McAfee recorded a 69% increase in new ransomware between the third and fourth quarters of 2020. They also clarified that many of the attacks capitalized on vulnerabilities in work-related apps and processes, such as VPNs and remote management tools.
Read more about the recommendations we have to help mitigate against ransomware attacks in our post below.

3. Cybercriminals Increasingly Use Social Engineering

Online criminals who plan and deploy ransomware attacks use various methods to achieve their aims. They also typically choose targets that enable them to do the most damage, such as hospital networks.
Managed service providers (MSPs) are also commonly hit because criminals can affect all those companies’ clients. One such recent attack caused at least $20 million in losses. Although MSPs are common targets, other business types are at risk, too.
For example, a research paper indicated that social engineering attack rates climbed during the COVID-19 pandemic. The authors expanded their search beyond ransomware to include all internet threats. Still, they noted that the dramatic increase in people working, shopping and otherwise doing more things online likely caused the shift. Plus, some criminal campaigns specifically involved COVID-19-related messages to catch people’s attention.
weekly ransomware attacks chart

4. Cybersecurity Researchers Warn of Triple Extortion

Not long ago, the cybercriminals who caused ransomware attacks only locked victims’ access to their files. They then began more frequently using so-called double-extortion approaches.
In those cases, hackers stole files and threatened to leak the data unless they received payment. Cybersecurity security researchers recently explored a triple extortion tactic, first identified as an issue in October 2020.
Hackers still demand payment from their primary targets, locking down the data and threatening to leak it. However, a new aspect involved the hackers engaging with the people who had their data stolen. The first notable instance of this happened at a 40,000-patient Finnish psychotherapy clinic. Hackers emailed patients directly, saying they’d leak their therapy notes unless the people paid them not to.

5. Ransomware Remediation Costs on the Rise

Another worrisome ransomware trend is that it costs progressively more to fix these issues after they happen. A study showed that the average remediation cost in 2020 was $761,106. However, it’s now an estimated $1.85 million in 2021.
The study also found that fewer respondents reported experiencing data encryption from ransomware since the last edition of the research. However, since the costs to address the problem increased so quickly, the study’s publishers warned that cybersecurity teams should stay alert for complex attacks that are more likely to have higher financial ramifications.

6. Ransomware-as-a-Service Gaining Prominence

An increasing number of “as-a-service” brands cater to individuals and companies that need resources and want to reduce the logistics involved to avail of them.
For example, a manufacturing executive might work with a robots-as-a-service company. They can typically rent an industrial robot for a flat rate that includes installation, maintenance and any other necessities. Cybersecurity researchers are keeping a close watch on a trend where people offer ransomware-as-a-service, usually by marketing themselves on the dark web.
Ransomware groups even hire hackers that share their views and agree to operate within certain parameters. For example, the people who work for a ransomware group might only target particular countries or commit to never attacking specific industries. The groups hiring the hackers usually take a 20%-40% cut of the profits from attacks, with the person working on behalf of those organizations keeping the rest.

Ransomware Remains Concerning

These six trends highlight why ransomware isn’t going away. Criminals continually create new attack methods and think of additional tactics to raise their success rates. These patterns pose challenges for businesses, particularly since attacks can compromise essential data and systems. It can also take days or weeks to resolve them. That often means affected companies operate with restrictions that compromise their profits. It’s even harder to recover if victims opt to pay ransoms.

However, having an awareness of the trends is an excellent way to determine how to conquer ransomware in your organization. From there, consider how you might back up files, perform a cybersecurity audit or familiarize yourself with some of the social engineering tactics that criminals often use. 

Remember that employee training is vital for safeguarding against ransomware. Indeed, a company can follow cybersecurity best practices and still get attacked. However, relatively simple precautions like never interacting with unexpected links or files in an email can help workers play their part in reducing the likelihood of dealing with ransomware.

It’s important to stay on top of cybersecurity before it’s too late. If you’d like to learn how to build a solid Cybersecurity Incident Response Plan, check out our blog post below. To learn more about the health of your business’ cybersecurity, take our free, self-guided IT security risk assessment today.

 

 

Guest Writer: Devin Partida

Devin Partida is a data center and networks writer whose work has been featured on AT&T’s cybersecurity blog, Yahoo! and other notable publications. To read more from Devin, please visit ReHack.com, where she is the Editor-in-Chief.

10 Ways To Prevent A Security Breach In The Workplace

Among all the challenges businesses are facing today, cybersecurity is perhaps the most daunting. Many organizations across all industries don’t have the skills, technology, or staff to stand up against advanced attacks and have little knowledge about their attack space or what to do in case of a security breach. 

Much like Oregon Clinic’s 2018 data security incident , many companies don’t realize there is a problem until it is far too late. Instead, organizations should learn to take preventative measures and find ways to increase visibility to stop a security breach far before it starts. Read more about the 2018 incident below.

 

What is a Data Breach / Security Breach?

A data breach is considered the accessing of data without proper permissions. Though the definition sounds simple, data is valuable to cybercriminals, containing personally identifiable information (PII), company information, and even login credentials to administrative accounts.
As more companies make their way online, data breaches occur in large numbers. Plus, with advances in technologies and programs, attackers are now launching very sophisticated attacks that many companies are not prepared for.

The Frequency of a Security Breach

The Covid-19 pandemic forced many people inside and away from their typical 9 to 5 jobs. With many people unemployed and a boost in online activity, cyberattacks skyrocketed, reaching up to 192,000 coronavirus-related cyberattacks per week in May 2020 alone. The frequency of application attacks has increased over the years and is only expected to rise as attackers have more incentive to attack. 

No industry is safe from a cyberattack. The most commonly targeted industries  in 2020 were finance and insurance, manufacturing, and energy. Every single one of these deals with highly sensitive data that cybercriminals can sell to interested parties or use to steal the identities of employees and customers. 

As you can see in Figure 1 below, there are pretty significant differences in where industries ranked between 2019 and 2020, showing that any industry can be a higher target in years to come.

 

How Does a Security Breach Occur?

Data breaches come in many shapes and forms. Whether it’s a cybercriminal working outside the system or an insider with access, data could be at risk, and it’s crucial for all organizations to understand how they occur. Some of the most common attacks targeted toward organizations are listed below.

Ransomware

Large enterprises are a huge target for ransomware attacks, creating a need to secure their systems aggressively. If ransomware makes its way onto a system or device, hackers could encrypt or corrupt data, demanding a fee for its release. 

Staying educated on current ransomware trends can help you predict and prevent data breaches. Check out our blog post below for our 2021 ransomware trend predictions.

 

Malware

If you or your employees get frequent requests on the web to upgrade your network security, you could be at risk for malware insertion. A click of a malicious link will download malware that affects and slows the entire system. The result is a crashed system and/or compromised data.

Phishing

Phishing is becoming a more significant issue than ever before, with many cybercriminals upping their game when it comes to phishing emails. Phishing involves the mimicry of a legitimate website in an attempt to gain user trust and steal sensitive information. If employees don’t know how to watch out for phishing, they could put your entire system in danger.

Denial of Service (DoS)

Hackers sometimes create robots that are meant to overflood a system. If an organization’s configurations are not strong enough, hackers could program robots to flood entire systems with traffic, knocking them off of the internet and out of use for their customers.

Workplace Mistakes that Increase Risk of Security Breach

More organizations than ever are turning to the web for their day-to-day dealings. Though the web is efficient, it leaves them prone to cyber threats that could expose sensitive data. The workplace is crawling with unsecured practices ranging from employees up to security analysts.
Some common mistakes include:
  • Accidental sharing
  • Weak password selection and renewal policy
  • Employee misuse of network
  • Weak security configurations
For a more aggressive approach to decreasing risk, companies should incorporate preventative measures and educate their employees on the importance of iron-clad security. Below, we’ll discuss ten preventive measures you and your employees should start practicing today.

10 Ways to Prevent a Security Breach in the Workplace

Cybercriminals are always on the lookout for an opportunity to strike. Keep them from ever getting close by adding these ten practices into your workplace.

 

1. Make a Solid Password Policy

Too many times, employers leave employees to set their passwords. As a way to easily remember, they may wind up selecting things that are far too easy to remember. Maybe their birthdate, their child’s name, the name of their pet. These things are far from secretive, especially with the whole world sharing on popular social sites.
As a means of prevention, organizations should amp up their password policy and have a randomly allocated password with a mix of letters, numbers, and symbols. Though you might have to reset passwords a time or two, that is far better than dealing with a security breach that puts company and client data at risk.
When incorporating a new employee and setting them up with credentials, always explain the importance of password protection and encourage them not to share information. Plus, as an extra layer of protection, configure your system to update user credentials often to keep passwords random.

2. Don’t Forget to Update

Do you know those notifications that pop up from time to time with updates? We know all too well how annoying they can be, but they should never be skipped for security purposes. Updates are there to keep your system and all software current and sometimes are meant to improve security measures.
Plus, you get an extra perk when you keep your system updated, enjoying seamless surfing and faster executions. One issue that comes with updates is that they can take a long time. Still, with the proper scheduling, you could have your team get them done after hours and come into work the next day with an updated system.

3. Check Your Router

Advanced hackers no longer need to insert USBs into your hard drive or get employees to click malicious links. These days, they can gain access to your system from thousands of miles away, especially if configurations are not up to par. Just like other parts of your system, your router is an important piece that needs proper security.
When setting up and configuring your router, choose to enable encryption that turns text unreadable to both human and robotic attackers.

4. Learn the Art of Backups

Data is a cybercriminal goldmine. With customer and company data, attackers have the opportunity to do a number of things, including: 

  • Identity theft
  • Selling of data lists to advertisers 
  • Gain access into unauthorized areas
  • Crash an entire system 

With the amount of data coming into systems of all sizes, management and storage are a bit of an issue. That’s why frequent backups can take care of storage issues and prevent security breaches. Backups keep data safe and prevent common security threats like ransomware from affecting databases.

 

One issue with frequent backups is storage. Organizations need a lot of space that’s accessible at all times and is protected from dangers. Options like the cloud are a common choice as it is secure and readily available. Whatever organizations choose, it should be secure and be able to hold backups as they come along. 

Of course, even backups fail. Check out our blog post below on how to protect your data when disaster strikes.

 

5. Firewalls, Anyone?

You’ve probably heard of a firewall but might not know why it’s crucial. You can think of it as your system’s first line of defense against cyberattacks. When configured properly, they keep malicious executions from happening and keep outsiders from breaking into the system. Though firewalls can be a hassle for some users, they are much less of a headache than a data breach.
When configuring your firewall, make sure to be strict regarding unknown IP addresses, unknown users, and zoning. All of these will help to keep a secure barrier around your system and keep unwanted traffic out.

6. Have a Plan in case of Security Breach

Breaches happen more often than you might think. The last thing you want to happen is to experience a breach and not knowing how to deal with it. Instead, create a plan that will help you tackle the issue just in case a breach happens. If you suspect that your system has been compromised, you should kick the plan into gear and don’t forget to:
  • Identify the Threat (Ask all the “W” questions to get to the bottom of it)
  • Contain it
  • Get rid of it
  • Recover your system
  • Document and reflect
Most companies do not know how to respond to an attack and could do so too slowly, putting their information and customer credentials at risk. Because every company that intercepts data and has some kind of online connection is a risk, they should have some sort of plan that will help them identify a data breach. Plus, after each attempt, they should keep everything on record just in case there is a reoccurring issue.

7. Encryption of Data in Transit

No matter what form data is in, it’s susceptible to theft. However, data in transit has a higher risk simply because it is passing from one place to another. That’s why encrypting data that’s constantly in motion is essential. If an attacker happens to get ahold of the data, they will not be able to make any sense out of it.
When data is encrypted, the only time it will convert back t readable text is if the location checks out as a safe location or the receiving party has access to passwords to unencrypt.

8. Get Employees on Board

The ordinary person doesn’t often think about cybersecurity. Most believe that, with a password, you should be protected. Also, they don’t really know how advanced cybercriminals have become in their tactics, unable to imagine the scale at which they can cause damage with a successful application attack.
As a preventative measure, you should teach employees the importance of securing your system and the common types of attacks that could take place. Letting them in on the “why” of security will make them more aware of their time online and help them notice when they spot something that seems odd or out of place.

9. Advanced Virus Detection

For some systems, legacy antivirus software won’t do the trick. Attackers are getting more sophisticated in their methods and know antivirus software inside and out. Modern-day virus detection is on the rise and something that organizations should look into as a part of their protection methods.
Many cutting-edge programs increase the visibility of systems and automate tasks instead of leaving them to worn-out security teams. Incorporating interactive and automated real-time detection into a system and across cloud infrastructures can help.

10. Audit, and Audit Again

Any time that malicious activity is spotted, companies should do their part to document efficiently. In that way, they can have a list of attempted breaches or actual breaches to refer back to. It will also serve when testing for vulnerabilities in the system, helping them get to the root cause faster.
Regularly checking your system is an excellent way to become familiar with your system and get better at detecting malicious activity. The faster that activity is spotted and identified, the less harm that an attacker could potentially do. Always keep track of finding during an audit and schedule frequent audits so that nothing takes you by surprise.

Prevent a Security Breach Before it Happens

It’s no longer enough for companies to add one form of virus protection to their system and forget about it. These days, the attack surface has increased, bringing more opportunities for cybercriminals to act. That’s why companies of every industry should implement preventative practices and share them with their employees. 

Combining prevention along with up-to-date methods of detection, organizations have a solid defense against all kinds of common attacks, able to detect them and stop them before they get ahold of sensitive data. Because business is shifting out of store and online, organizations must adapt and protect themselves and their users from the possibility of a security breach. 

Are you concerned about the cybersecurity of your business? Edge Networks can help! Take our free, self-guided IT Security Risk Assessment, or contact us today for a free, 30-minute consultation.

How to Maintain the Cybersecurity of Your Remote Workers

The Sudden Jump to Remote Work: The Need For the Cybersecurity of Your Remote Workers

In August 2020,  Malwarebytes (PDF)  released a report including data from a survey conducted with 200 IT and cybersecurity professionals examining the impact of COVID-19 in the security world. They found that over 50% of IT employers stated their biggest work from home (WFH) challenge was training remote workers to work at home most securely and compliantly.
 
This daunting challenge is shared by many, from IT professionals to small-business owners.  You can’t escape the cybersecurity risks of working from home because there are always security issues with working remotely. However, with the quick jump from working in an office space to working remotely, many employees were undoubtedly left even more vulnerable to cyberattacks than before.
 
Although there is no way to ensure your team is 100% secure, we want to share a few working from home cyber security best practices and remote employee security tips to help you and your team stay protected.

Work from Home Security Tip #1: Educate Your Employees

Working remotely places more responsibility on individual employees to ensure security, but you should never assume they know the slightest thing about cybersecurity. Creating a plan to focus on cybersecurity for remote workers will help you in the long run. In an ideal world, security would be everyone’s responsibility, but that’s not the case when employees feel they are already overwhelmed with their current responsibilities. 

 

Set and Communicate Expectations 

Add that to the chaos of working from a distraction-filled home, where there may be children running around, a dog that needs walking, or a quick chore that needs to get done. It’s difficult for anyone to keep cybersecurity at the forefront of their mind with the endless distractions when working from home.
This is where you come in to provide helpful resources and clear expectations to ensure your company’s security in the form of education and a solid work from home security policy.
Setting clear expectations for remote employees doesn’t have to be complicated. It can be as simple as sending an email or as detailed as a remote working security policy they’re required to sign. Just remember, it should be easily accessible and clearly outline the company’s expectations as they work from home, including security guidelines, plans, and policies.

Phishing and Malware

Many people think cybersecurity attacks aren’t a real threat to them until it’s too late. Cybercriminals adapt along with the world’s current events and will take any opportunity to get what they want. A more recent example of this is with COVID-19.
When the second round of stimulus checks was approved, the IRS warned that scammers may reach out through text messages, social media, phone calls, and emails to disclose personal or bank information. These scammers would often use words such as “stimulus” and “coronavirus” and offer opportunities to invest in companies producing COVID-19 vaccines.
This serves as a great example to remind your employees to avoid phishing scams and malware, which are as high a risk as ever when working from home. Remember that there are many affordable resources available to help you manage IT security problems like phishing and ransomware attacks, such as KnowB4 or Proofpoint, and the cost is worth your peace of mind.

Password Management

Did you know that in 2019, compromised passwords were responsible for 81% of hacking-related breaches? Good password management practices can save you a lot of money, time, and heartache in the long run. Always train your employees to practice good password management.
A secure password includes:  
8-Character minimum length
Both upper and lowercase letters
At least one number
At least one special character
When possible, enable multi-factor authentication for an extra step of security. Schedule an annual password audit, never reuse old passwords, and don’t post your password in an unsecured location (such as in your device’s “notes” app, programmed as a device contact, or in an unsecured excel file). A great way to ensure cybersecurity for remote workers is to ensure your passwords are secure is by using a password manager, such as Dashlane, Last Pass, or 1Password, to keep your passwords in one place and create unique passwords for every account.
Remember that your employees have a lot going on outside of work, and you can’t expect them to become cybersecurity professionals overnight.

Work from Home Security Tip #2: Ensure Device Security

The good news is that many employers were able to supply their staff with devices to work remotely. The bad news is that not many employees were trained in caring for and ensuring the security of these devices. One of the most critical things you can do as an employer is to encourage your employees to have good work from home security awareness and to keep their devices secure through updated software, regulated personal devices, and avoiding unsecured networks.

Up-to-Date Software

Software updates can seem like a nuisance at times. It’s easy to click “Remind Me Later” when prompted to update but doing so can leave you vulnerable to attacks. Cyber threats are continually changing, which means operating system providers need regular updates to combat and keep on top of them. When you update your software regularly, you are less vulnerable to compromise the data on your devices.
One of the best ways to ensure your software is updated is by enabling automatic updates when possible. This takes the stress of manually updating off you and allows the system to update on its’ own, usually late at night when you most likely won’t be using it. If automatic updates aren’t possible, you can set a reminder to do it when you’re home from work or about to get in bed, so it can be updated by the time you need your device again.

Personal Device Use

 Another critical factor in the security of your devices is understanding and regulating personal device use. Personal devices can be easily compromised, which is why it’s startling that 48% of workers use the same passwords in both their personal and work accounts. Workers also seem to be prioritizing the security of their personal accounts over their work accounts, according to LastPass’ Psychology of Passwords global report (PDF).
What this means for you is that your employees’ flawed security behaviors or complacency with password management can likely extend into your business. Make sure you take the time to create a remote working security policy for company devices and educate your employees about how they should use them. One should only use their work-issued laptop for work-related business and avoid similarities in their personal and professional passwords, which can quickly lead to a company data breach, creating more security issues with working remotely.

Avoid unsecured Wi-Fi Networks

According to the 2019 State of Remote Work report from Buffer, the second most common location employees work from is coffee shops and cafes at 37%, with the first being working from home. While coffee shops and cafes can be a great environment for productivity with a change of scenery and great coffee a few feet away, it’s important to remember cybersecurity risks can be even more prominent with unsecured Wi-Fi networks.
Never trust networks that are not password-protected. If the network does request a password, you should still remain vigilant. It’s not difficult for someone to find out the network password at a local coffee shop and create a fake connection with the same password to steal personal user data. If possible, use a Virtual Private Network (VPN), which means cyber criminals can’t read your data, even if they gain access to them.
VPNs are great, but many of them have been put through recent stress with more and more remote workers using the network, slowing it down. If your policy allows it, and if you’re confident the network you’re using is secure, consider unloading the VPN and only using it when necessary.

Work from Home Security Tip #3: Support Your Team

The final way to ensure your employees are secure at home is by supporting your team. You can’t expect your team to know the ins and outs of cybersecurity (or even the basics) without learning how to maintain security for remote employees yourself. After that, you can provide support, education, and resources for your team.

IT Support

Even if you make every employee go through cybersecurity training or sign a policy, cyberattacks can still occur. You should provide vigilant IT support and make sure your company is prepared to respond to a data breach or security incident at any time.
Additionally, you should also consider investing in a cloud-based service and secure collaboration and communication channels for your team to help keep work things in one place for everyone.

Adjust Your Expectations

The COVID-19 pandemic has thrown a curveball at us all. Many people have had to give up things they love because of it. Whatever it may be, it’s essential to adjust your expectations and understand that many people are struggling right now.
According to the Mental Health Index: U.S. Worker Edition, between November and December 2020, there was a 48% increase in the risk of depression, and employees’ focus dropped 62% – a record low since the start of the research in February 2020.

 

Remember that now more than ever before, and that your role requires you to listen, be patient, and expect changes in employee performance during this time.   

The COVID-19 pandemic has required businesses to reevaluate how they approach many things, including cybersecurity. Cybersecurity in itself is a difficult topic to tackle, and even more so when you consider how to maintain security when employees work remotely. The best way you can help ensure your team’s security at home is by educating your team, ensuring device security, and providing support for your employees. 

Are you concerned about the cybersecurity of your company’s remote environment? Edge Networks can help! Take our free, self-guided IT Security Risk Assessment, or contact us today for a free, 30-minute consultation.

8 Good Cyber Hygiene Tactics to Keep Your IT Humming

Keep Your IT Humming with These Cyber Hygiene Tactics

Maintaining a healthy and secure IT environment is crucial for any organization. Just like practicing good personal hygiene keeps us healthy, adopting strong cyber hygiene tactics ensures the smooth functioning of your IT infrastructure. Whether you’re a small business owner or part of a large enterprise, implementing these eight essential cyber hygiene tactics will help keep your IT humming and safeguard your valuable digital assets.

Server and Network Management Basics

Server and network management can be a daunting task for many, regardless of administrative experience. 

There are a few key baseline areas to focus on as you mature through IT progression. 

 

First Things First

The management of your devices should begin as soon as they hit the loading dock. It all starts with asset management.

 

Asset Management

Asset management should be at the core of your management strategy. Asset management documentation should contain, at a minimum: 

– Location of the device 

– Device manufacturer 

– Serial number of the device 

– Warranty information 

– System owner contact information 

– System administrator contact information 

Other good items to include: 

– Base Operating system version 

– Hardware installed such as CPU, RAM and port capacities, installed and available 

– ROM or BIOS version and configuration 

This data can assist in planning device lifecycles and when doing financial allocation and depreciation. It can be held in something as simple as a spreadsheet or as complex as an asset management system. 

 

cyber hygiene tactics

Configuration Management 

Configuration management is just what you might think. It is the collection of the past and present configuration of a device. This data is typically managed with a configuration management database or system. It contains items such as: 

– Operating system version and patch levels 

– Third-party applications and plug-ins and version 

– Hardware configuration including RAM, CPU, Network Interface Cards (NIC) and other installed components. 

– IP addresses 

– Connected devices

– Switch port speeds and duplex 

The list of items tracked, known as Configuration Items (CI), should include everything so that you can effectively and efficiently manage your devices. 

Why is this data important? It is important because it helps you ensure your systems are up to date.  It can help troubleshoot a problem caused by a recent change or assist during a disaster when you need to replace and recover a failed component.

 

Change Management 

Change is the addition, modification or removal of anything that could affect your IT devices and services. Change management is the process (the rules) that governs how change happens. 

The scope of change management should include all IT services, CI’s, technical processes and related documentation. This data is stored in a change management database (CMDB). 

Any changes made in the environment should start with a Request for Change (RFC). An RFC is a formal proposal for a change to be made in change management. An RFC includes all the details of a proposed change and can be recorded by either paper or electronic means. More mature organizations use software tools to track and manage these requests. 

 

Types of Change

There are three main types of change in change management: Standard Change, Normal Change, and Emergency Change.

Standard Change

A standard change is a pre-approved change that is low risk, relatively common and follows a defined procedure or work instructions. For instance, the password change of a user every three months is a good practice. It is common, and when the user follows the instructions, they can change the password easily. 

Standard changes do not require an RFC to be submitted. Standard changes are logged and tracked using different mechanisms within the change management process. These changes are typically logged as a service request and are managed by the service desk. 

Normal Change

Normal change is every change that is not classified as a standard or emergency change. If a new feature has been introduced for a new service or existing service has been updated, this is an example of a normal change. For instance, a software update or addition is an example of normal change classified in change management. 

Emergency Change

The third type of change is emergency change. Instead of extending an existing service or introducing a new service, emergency changes are initiated generally to solve a major incident or implement a security patch. Emergency changes must be introduced as soon as possible. For example, if a security exploit has been identified that can harm the company, customer data, or reputation due to data loss or leakage, this is a critical issue and must be fixed immediately. 

The change management process will normally have a specific procedure for handling emergency changes. Normal change procedure can be more bureaucratic and can take time to get all approvals to implement them, but because since emergency changes must be implemented as soon as possible, there can be faster and specific procedures or checklists for handling emergency changes.

 

Catch a CAB

The Change Advisory Board (CAB) is a group of people that advises the Change Manager in the assessment, prioritization, and scheduling of changes during the change management process.
 
The change manager is the ultimate responsible person for coordinating, organizing, prioritizing, and managing changes in an IT service provider. However, several departments, stakeholders, and organizations interact with IT Services in service delivery. 
 
 So, when managing and implementing changes in the IT services, representatives of these departments or organizations advise the change manager. For example, a department using a service can advise the change manager on what happens if the change does not happen successfully. The CAB usually consists of representatives from IT Services, Business, Suppliers, and Partners. 
 
The Emergency Change Advisory Board (ECAB) is a sub-set of the change advisory board who make decisions about high impact emergency changes. Let’s consider the example we gave previously. Suppose you have been notified that there is a security leakage in the system.  
 
After developing the security fix for this issue, and to implement this change, an immediate meeting is organized to get the stakeholders’ opinion about this emergency change. 
 
Membership of the ECAB depends on the nature of the emergency change and may be decided when a meeting is called. Only the relevant stakeholders are called to the mee ting to notify the change. However, in normal changes, the change advisory board comes together regularly to advise the change manager appropriately. 

Good Cyber Hygiene Tactics to Implement

Last, but certainly not least, it is important to remember to take care of small housekeeping details to keep your devices humming. Here are some critical but easy ones. 

1. Review logs – Check logs on your devices to ensure that the system and security are not providing obvious red flags. Having an event monitoring tool makes this task easy and provides granularity on important events occurring. 

2. Archive logs – Logging takes up a lot of space. Ensure that you save these logs to long-term storage regularly so you can still review them if needed. 

3. Maintain separate admin accounts – Do not give administrative privilege to an administrator’s daily account. Assign complex passwords and controls to these accounts. On devices, create accounts specific to that device for both reporting and administrative functions. 

4. Service accounts – Create separate service accounts on servers that are members of the domain and not local. Ensure a complex password is used, and proper controls to the accounts are followed. 

5. Antivirus/AntiMalware – If possible, use centralized management and reporting for this software. Aside from real-time protection, make sure to schedule a routine task to do a deep scan. 

6. Service packs, patches and updates – Threats are evolving on an hourly basis. Have a process or use a tool that keeps your devices in sync with the latest critical updates. 

7. Device monitoring – Use the manufacturer’s tools or consolidated monitoring to know when devices are down, have heavy RAM or CPU use, run out of storage space, or experience network flooding. 

8. Backup critical data – Perform regular backups of your data and system states. Keep local and offsite/cloud-based copies of this data in the event you may need to restore. 

 

As you have read, both documentation and good operational discipline are mainstays to a more reliable and predictable IT environment. It is never too late to start implementing good cyber hygiene tactics, and the process is continuous. 

We at Edge Networks know that when managing your IT, there can be a lot of moving parts and potential pitfalls Remove the burden of managing your IT with our flat-fee IT managed services programContact us to schedule a free, 30-minute consultation today.

Data Loss Prevention: How to Protect Your Data When Disaster Strikes

Data Loss Prevention: Preparing for a Rainy Day

One of the most terrifying experiences for a business executive, employee or IT administrator is when data loss has occurred. Perils can come from many places and it’s important to know where they come from.  Knowledge is the first step to preventing this tragedy. We will go over why data loss occurs, how to recover if disaster strikes, and how to start prevention right now.

 

Top 5 Causes of Data Loss

What are the main reasons your data is at risk?

1. System Malfunctions

This is the leader in data loss. Hard drives fail. Power goes out without warning. Computers are complex machines with millions of points of failure

 

2. Human Error

Human error continues to be one of the leading causes of data loss. Whether is it from accidental file deletion, failure to backup data, or losing a device, humans are, well, human. Accidents happen. 

 

3. Software Errors 

Who doesn’t remember working on an important document or presentation only to run into tech problems where the software freezes and the work is lost? It has happened to the best of us. 

 

4. Computer Viruses and Malware

Viruses and malware can wreak havoc on computers and files. From ransomware encrypting data to viruses like ILOVEYOU destroying files, daily risks abound. 

 

5. Natural Disasters

Fires, floods, earthquakes or wind. These are the most uncontrollable cause of data loss, but fortunately are also the least frequent. 

 

woman upset about data loss

 

Proper preparation for these inevitable events allows for business continuance and peace of mind. Let’s take a look at some commonsense ways to keep your business going when lightning strikes.  

 

Matters of Metrics

When considering the best approach for backup and disaster recovery, it is important to understand what is being protected and the criticality of the data involved. This is where Recovery Time Objective (RTO) and Recovery Point Objective (RPO) need to be understood.   

 

Recovery Time Objective (RTO)

RTO is the duration of time it should take to restore all applications and systems after an outage. RTO is usually measured starting from the moment an outage occurs rather than when the IT team starts their restoration efforts. Simply put, the moment of the outage is when the users and clients were initially impacted.  

 

Critical questions to consider when determining your Recovery Time Objective (RTO):  

 1. How long can your business afford to be down before a negative impact, be it revenue, reputation, or another critical metric, is observed?  

2. What is your budget for restoration services to occur?  

3. What tools, process and resources are needed to meet the objective?  

 

Recovery Point Objective (RPO)

RPO defines the point in time to which you will restore your data after a disaster. It limits how far to roll back your recovery and defines how much data your business can afford to lose before affecting productivity, revenue, and reputation.  

 

Critical questions to consider when determining Recovery Point Objective (RPO):  

 

 1. How often does your business data change? Is it high transaction data or mostly static content?  

2. What type of backups are being performed?  

3. What are the storage requirements to meet this objective?  

 

Down to the Basics

Once you have determined your RTO and RPO, you can start to plan out your strategy.  Let’s start with the three basic types of backups; Full, Incremental, and Differential. 

 

Full Backup 

A full backup is just as the name implies. It is a total backup of everything. While it is good to have a full backup, it also takes the greatest amount of time to perform or restore, not to mention the amount of space it consumes. If you determine your RTO is short, then using a full backup daily is not a good choice. Conversely, if your RPO is weeks or months, then you will likely depend on full backups.   

 Typically, only a small percentage of the information in a partition or disk changes daily, or even a weekly basis. For that reason, it makes sense only to back up the data that has changed daily. So, what’s the balancing point? That’s where the other backup types come into play. 

 

Differential Backup 

A differential backup backs up only the files that changed since the last full backup. For example, if you do a full backup on Sunday then Monday you back up only the files that changed since Sunday, on Tuesday you back up only the files that changed since Sunday, and so on until the next full backup.   

Differential backups are quicker than full backups because so much less data is being backed up. It is a better choice for shorter RTO and less attractive for a longer RPO. The amount of data being backed up grows with each differential backup until the next full back up so the storage requirements can become substantial over time. 

 

Incremental Backup 

Incremental backups also back up only the changed data, but they only back up the data that has changed since the last backup — be it a full or incremental backup. If you do an incremental backup on Tuesday, you only back up the data that changed since the incremental backup on Monday. The result is a much smaller, faster backup. They are a good choice for meeting an aggressive RTO but not good for a long RPO. The characteristic of incremental backups is the shorter the time interval between backups, the less data to be backed up, so your storage needs are lower than full or differential backups. 

While incremental backups give much greater flexibility and granularity for restoration, they have a reputation for taking longer to restore because the backup has to be reconstituted from the last full backup and all the incremental backups since. 

 

laptop backup photo

Backups, the Next Generation

If your head is hurting just thinking about the complexities of backup strategy and execution, you are not alone. Doing backups used to be so complex that there was a dedicated position in most companies just to keep it all on the rails. Even then, there were problems. Broken or old tapes and disks added to the headaches of being confident about your strategy. Employees had to make sure their files were closed during the backup window. Periodic recovery testing would take entire weekends to complete. It was a mess. 

Enter the next generation of backup. 

Modern backup strategies employ advanced software, hardware and cloud services that simplify things, A LOT.

Snapshots 

Most backup software available today uses snapshot technology to create a point-in-time copy of the data. Typically, the snapshot copy is done instantly. The original copy of the data continues to be available to the applications without interruption, while the snapshot copy is sent to an on-premises or cloud-based storage location. 

Snapshots provide an excellent means of data protection. The trend towards using snapshot technology comes from the benefits that snapshots deliver in addressing many of the issues businesses face. Snapshots enable better application availability, faster recovery, easier backup management, reduces exposure to data loss and virtually eliminates the need for backup windows while lowering total cost of ownership (TCO). Snapshot technology allows businesses to meet most any RTO and RPO goals. The cost of this technology is typically higher than traditional methods because of the storage requirements involved. 

 

Continuous Data Protection 

Continuous data protection (CDP), also called continuous backup, refers to backups of data when a change is made to that data by automatically capturing the changes to a separate storage location. CDP effectively creates an electronic journal of complete storage snapshots. 

Continuous data protection is different from typical snapshot implementations because it creates one snapshot for every instant that data modification occurs instead of one point-in-time copy of the data created by other methods. CDP-based solutions can provide fine restore granularities of objects, such as files, from any point in time to crash-consistent images of application data, for example, database, filer and mailboxes. 

Validation of successful snapshots is often accomplished by actually starting and testing the machine image taken. This offers an unparalleled level of confidence in the integrity of your backups. 

There is no “one size fits all” approach for data loss prevention, and some things are worth more than others. There is a myriad of companies that offer backup software and services. It is highly recommended that you work with a trusted technology professional to assist in your selection so that you can achieve a balance in performance, costs and recovery objectives.  Contact us today to schedule a free, 30 minute consultation, or take our free, self-guided IT Security Risk Assessment.

Breaking Down the Cloud: Picking the Right Cloud Management Platform

Aim for the Sky with Application and Cloud Management

Over the past decade, we have witnessed a steady shift of computing to the cloud. This year, there has been an unprecedented amount of growth in the cloud. As companies look to rein in costs, leverage emerging computing platforms, and adjust to new working arrangements, the cloud has offered the flexibility and scale to support this shift. However, getting there is only half the battle. How do you securely manage your data and applications once you have made the change? Before we dive into cloud management, let’s spend some time defining commonly utilized cloud services. 

 

What is the Cloud?

The term cloud most often refers to Infrastructure-as-a-Service (IaaS), Platform-as-a-Service (PaaS) or Software-as-a-Service (SaaS). At a very high level, these services build upon the preceding service with IaaS as the base, then layered by PaaS and SaaS at the top.

 

Woman on cell phone cloud

Infrastructure-as-a-Service (IaaS)

With IaaS, a cloud service provider typically owns and manages the infrastructure. This includes the servers, networking and storage. Your company is responsible for purchasing, installing, configuring and managing software owned such as operating systems, middleware and applications.  

 

There are three main types of IaaS; public, private and hybrid. 

1. Public Cloud

When most discuss the cloud, they are speaking of public clouds. Public cloud is the most prevalent type of cloud computing service available. Amazon Web Services (AWS), Microsoft Azure and Google Cloud Platform (GCP) are the most popular public cloud service providers. These services are open to the public, and companies can purchase their storage and computing capacity on-demand. 

 

2. Private Cloud

Private cloud infrastructure is operated solely for a single company. They usually connect within a private network and are accessed remotely using a Virtual Private Network (VPN) or a dedicated circuit or tunnel from corporate locations. These platforms offer wide flexibility in computing power and storage capacity. Organizations that have specialized computing needs or want to have total control of their data often leverage these services. As a result, these services are typically more expensive than their public counterparts. It should be noted that some companies choose to build and run their own private clouds. 

 

3. Hybrid Cloud

Hybrid cloud environments are a combination of public and private cloud services. Companies may choose to use private cloud servers for privacy reasons while leveraging the lower costs of public cloud servers for less sensitive compute needs. When the environments are interconnected, this is a hybrid cloud environment. 

 

Platform-as-a-Service (PaaS)

This computing model was made for companies that want to focus on developing applications, for either internal or external consumption, without the challenges of managing the underlying infrastructure.

 

Like IaaS, PaaS includes infrastructure but adds middleware, development tools, business intelligence (BI) services, Database Management Systems (DBMS), and more. PaaS is designed to support the complete web-based application lifecycle: building, testing, deploying, managing, and updating. 

PaaS allows you to avoid the expenses and complexities of buying and managing software licenses, the underlying application infrastructure and middleware, container orchestrators such as Kubernetes or Docker Swarm, or the development tools and other required resources. You manage the applications and services you develop, and the cloud service provider typically manages everything else. 

Major PaaS providers include Microsoft Azure, AWS, GCP, IBM and Oracle. 

 

Phone with applications

Software-as-a-Service (SaaS)

SaaS allows users to connect to and use cloud-based applications over the internet. All of the underlying infrastructure, middleware, application software, and application data is located in the cloud service provider’s data center. The cloud service provider manages the hardware and software.  

They are responsible for maintaining the availability and the security of the application and the data housed by the application. SaaS is typically favored by companies that need to quickly ramp up the productivity of an application such as email, calendar, Customer Relationship Management (CRM), or Enterprise Resource Planning (ERP). 

Examples include Gmail, Salesforce, Microsoft 365, and many more. 

 

Taming the Beast

The proliferation of cloud technologies in the business environment has changed how CIOs and IT managers must approach the management of IT costs, compliance, security, and asset management. According to an  IBM survey , 85 percent of companies utilizing cloud services have multiple providers. Every provider has strengths and weaknesses, but this lack of standardization places most traditional IT organizations in unfamiliar territory.

 

Cloud Management

What about the management of the platforms themselves? 

Many companies turn to Managed Service Providers (MSP), who specialize in cloud management, or leverage Cloud Management Platform (CMP) tools. 

There are a range of cloud management tools available. Cloud management tools can be used to perform various functions, including asset inventory management, self-healing and workflow automation, security and compliance activities, monitoring and metering, access control, provisioning and orchestration, cost optimization, and more.

 

People writing in notebook

Data Analytics

Cloud management tools are purpose-built to extract massive volumes of data from your application stack using automatically generated computer logs. Log files contain information about every event that happens in your cloud environment, and analysis of those files can yield information about errors, security vulnerabilities and compliance.  

 

Compliance

Organizations without cloud management tools can spend hundreds of working hours each month collecting, normalizing, and analyzing data to understand cloud-based infrastructure and applications’ performance and compliance status. With a cloud management platform, your IT department can log aggregate and performance data from multiple cloud service providers into a single platform, monitor in real-time, and even generate customized reports.  

 

Security Integration

All cloud platforms have their own flavor of security approaches and tools. This complexity creates challenges for IT departments as they strive to enforce a single set of policies across disparate clouds. It is important to select a cloud management tool that integrates seamlessly with security tools on all platforms in use. This will ensure policy enforcement and consistent security are applied as desired. Most cloud management tools have the ability to aggregate security events, much like a traditional Security Information and Event Management (SIEM), to identify threats across all clouds in use.   

Effective cybersecurity should be a top consideration for businesses operating in multiple clouds. The increasing use of cloud services has caused a rise in Distributed Denial of Service (DDoS) attacks that can impact the performance of cloud-based applications. A multi-cloud approach can lessen this impact by providing a greater level of resiliency. If one cloud provider is hit with an attack, IT departments can instantly shift the workload to another cloud environment using a cloud management tool.   

 

lightbulb in cloud

Understanding & Optimizing Cloud Costs

With all the cloud options available to companies and the ease of consumption, it is critically important to keep track of your spending. There is a dizzying array of performance levels, storage tiers and service levels available that affect costs. Most providers provide optimization tools or services that should be used alongside your cloud management tool to ensure you are using the appropriate technology mix. For example, if you have a database with low transaction volume, but you are paying for a much higher tier of service, cost optimization can catch this and assist with the decision to move to a more appropriate tier. 

Companies should also have policies and procedures in place that cover the evaluation criterion for selecting cloud service providers. The type of services authorized and who is authorized to purchase them should be detailed as well. Annual reviews of pricing structures and spend between providers should also be performed.

As spending is evaluated, it may be discovered that the breakpoint has been reached on public cloud cost optimization. If this is the case, consider moving the application or service into a private cloud or SaaS environment. 

With a cloud management tool in place, these decisions can be quickly determined and implemented without the large project expenditures seen with on-premises migrations. 

Are you thinking about implementing a cloud management tool for your company? Often, companies turn to Managed Service Providers like Edge Networks who specialize in cloud management. Learn more about how Edge Networks can simplify your workflow by helping you migrate to the cloud, or contact us today to schedule a free, 30-minute consultation.

 

The Role of Employee Security in Building a Secure & Stable Business Environment

Employee Security Matters: The First Line of Cyber Security Defense

When considering your company’s overall security posture, one often thinks only about firewalls and endpoint protection. However, an employee security protocol is often overlooked, but a company must proactively institute critical security measures. Employees are often the first and the last line of defense in building a secure and stable business environment. A personnel security policy facilitates a consistent approach to handling end-to-end employee security throughout the entire lifecycle of an employee’s tenure with your company. 

From an employee’s initial onboarding through their off-boarding and beyond, the development and implementation of a consistent personnel security policy will ensure your peace of mind, allow you to manage your employees consistently, and maintain your business security from start to finish. 

 

Employee Security Policies – Where it Begins & Ends

A good personnel security policy details both your company’s process and the employee’s expectations. 

Prior to hiring for a specific role in your organization, one must implement the first step in the process by clearly outlining the roles and responsibilities. The process continues during the pre-employment screening, during employee onboarding, and finally, concludes upon employee offboarding. There are some important policy areas to consider as you plan for or review current personnel security policies. 

 

Meeting about employee Security Policies

Roles and Responsibilities

A procurement management policy covers the rules of engagement for selecting and managing hardware and software vendors used by your company. They also protect the confidentiality of purchases, pricing models, authorized vendors, and authorized purchasers.   

For companies that produce specialized products and services such as patented or other trade secrets, a procurement management policy would include a method for confidential procurement through an authorized third-party purchasing organization. Some companies also require documentation of a supplier diversity program as a means for supporting female and minority-owned businesses. Many state contracts or even your company’s culture may find this documentation desirable.   

 

Pre-employment

The pre-employment process is critical to your personnel security process. Before hiring any candidate who will be given access to sensitive company data, background screening should occur. At a minimum, the background screening should include a criminal records search, credit report, and previous employment verification. Often employers fail to apply this same diligence to contractors, temporary or seasonal workers, and outsourcing companies who will be allowed to access sensitive company data or functions; however, failure to do so is a breach in your company’s security. 

Many people might ask why pre-employment screenings are so integral to a company’s security. Would you want to hire a System Administrator with a criminal record that included a conviction for data theft? Perhaps you are considering hiring a new Staff Accountant, and they have a conviction for embezzlement. Maybe you are hiring an Engineer to refine your prized invention, and the candidate was convicted of corporate espionage. Although these scenarios may sound unlikely or perhaps read like something from a movie script, these breaches in personnel security negatively impact companies of all sizes and every vertical focus on a daily basis. Pre-employment screening can save your business from a potentially damaging or even criminal incident involving your company or your data and should be in your personnel security policy.

 

Pre-employment handshake

Onboarding

Suppose you have decided to hire a resource and the candidate has passed the pre-employment screening process. You are confident in their qualifications and relieved they do not have a questionable background. Your new employee reports for their first day of work. What should happen next? 

Employees should be asked to review and acknowledge the following prior to receiving access to any company systems: 

1. Confidentiality Agreement – The confidentiality agreement is your protection and details what the employee can discuss or divulge outside of authorized company employees. 

2. Information System Security Agreement – These policies pertain to the employee’s responsibility in safeguarding systems and data. 

3. Intellectual and Property Rights Agreement – This agreement specifies who owns all of the hardware, software, data, and source code the employee has access to during the execution of their duties. 

4. Security Awareness Training – Information Security training should be given; however, some companies assume the new employee is aware of potential security issues or concerns. Train your employees and obtain written acknowledgement of the training. Better yet, offer this training annually to ensure that policy updates are covered. 

5. Equipment Receipt Acknowledgement – If the employee is issued a computer, phone, access badge, or other company-owned equipment, then an inventory of these items and their serial numbers should be taken and written acknowledgement obtained. 

 

Once the new hire has completed this process, the supervising employee or manager should notify Human Resources and request the new employee’s credentials from the Information Systems Security team. 

The access given to the new employee should adhere to the principle of least privilege. Least privilege refers to granting an employee the minimum amount of access to systems and data required to perform the duties of a given role. If the employee is an administrator, separate administrator credentials should be used to minimize the possibility of administrative compromise. All employees should be required to change their password upon initial use, and multi-factor authentication is recommended for added security. 

For an employee transfer to a new role or department, access should be reviewed by the Information Systems Security team to ensure the new access adheres to the principle of least privilege. 

 

Offboarding and Termination

Gone are the days when most employees earned a gold pocket watch after 50 years of employment. The reality of today is that sometimes the relationship between employer and employee may not work out. When an employee or contractor leaves, either through involuntary termination or by choice, a secure offboarding process should be followed to ensure that the integrity of the company equipment, systems, and data is maintained.   

One of the biggest threats to company security is the inappropriate or illegal use of unused credentials. Unused credentials are often ignored or even forgotten when an employee leaves and is frequently discovered by hackers and used to elevate privileges to sabotage systems and steal data. These unused accounts are an excellent target for criminal activity because no one notices that the password has been changed.   

Another threat that should not be ignored during offboarding is related to the involuntary termination of an employee. Disgruntled, recently terminated employees may steal or destroy data or systems before their credentials are revoked as an act of retaliation. In 2018 , a fired IT contractor with Chicago Public Schools stole over 70,000 employees’ personal information. 

 

When offboarding or terminating employees, the company should ensure that exit interviews are conducted, if possible, and: 

1. Immediately terminate access to company systems by notifying the Information Systems Security team. All of the employee’s account and login information should be disabled, and the password(s) changed. 

2. Any previously issued company-owned equipment and data should be recovered and checked against the issued serial numbers. 

3. Remind the offboarding individual about any agreements still in force. 

4. Change administrator credentials if the individual had access to system administrator credentials. 

 

Person getting terminated

 

Not only are small to medium-sized businesses affected by security breaches related to their personnel, many high-profile companies, such as Equifax in 2017 , have suffered embarrassing and expensive breaches because of a failure to adhere to internal policies and controls around Personnel Security. 

Regardless of your business size, a Personnel Security Policy is integral to managing your employees and proactively protecting your company from security threats. 

Worried about how secure your business is, or wondering if there is anything you can do to improve your security? Edge Networks can help! Schedule a call with us or take our free, self-guided IT Security Risk Assessment

4 Things You Need to Consider When Creating an Effective Device and Inventory Management System

Understanding Device and Inventory Management

Business process improvement guru, H. James Harrington, famously said, “Measurement is the first step that leads to control and eventually to improvement. If you can’t measure something, you can’t understand it. If you can’t understand it, you can’t control it. If you can’t control it, you can’t improve it.” This is especially true when it comes to your device and inventory management strategy. 

 

Why Do Device and Inventory Management Matter?

There are many reasons that companies should maintain an accurate inventory of their devices. 

Let’s consider a few real-life scenarios. 

Suppose your company is considering the implementation of a new Enterprise Resource Planning (ERP) software. The software vendor has provided you with the minimum requirements needed to run the software. How can you plan for this project’s costs and timelines if you do not know if your equipment can run the software? You cannot budget for any upgrades required and cannot know how to allocate the resources necessary to perform any upgrades. With an accurate inventory management program in place, you could run a report and have this information with little effort. 

Another common scenario is asset depreciation. Suppose you are a CFO or Controller and are trying to prepare an annual report for the board. How can you accurately report your current assets if you do not know what you have and what has been lost, stolen, or out of service? With inventory management, this exercise becomes more accurate and easier. 

 

Device and Inventory Management

 

What if a salesperson’s rental car is broken into and their laptop is stolen? The police will want to know the make, model, and serial number of the stolen device to file a report. Insurance will not cover a loss claim without it. The salesperson only needs to contact the service desk. The representative can provide the serial number for the report, the salesperson will receive the police report, and a claim can be approved for reimbursement. 

Finally, imagine you are a CIO or IT Director. You receive notice that a patch needs to be applied to keep a new critical vulnerability from affecting your company network. Inventory management allows you to know if your equipment is affected and where these affected devices are located. Inventory management saves you time and keeps your network safe and protected from this vulnerability.   

These are just a few examples in which a device and inventory management system can help an organization work better and be more informed. 

 

Process Matters – Where Do I start?

To get started on this journey, the creation of an inventory and device management policy is critical. 

These policies typically cover the following:  

1. Procurement Management

2.  Asset Inventory

3. Asset Accountability

4. Asset Protection

Let’s dive deeper into each of these policies.

 

1. Procurement Management

A procurement management policy covers the rules of engagement for selecting and managing hardware and software vendors used by your company. They also protect the confidentiality of purchases, pricing models, authorized vendors, and authorized purchasers.   

For companies that produce specialized products and services such as patented or other trade secrets, a procurement management policy would include a method for confidential procurement through an authorized third-party purchasing organization. Some companies also require documentation of a supplier diversity program as a means for supporting female and minority-owned businesses. Many state contracts or even your company’s culture may find this documentation desirable.   

 

2. Asset Inventory

The core of an asset inventory system includes the methods and tools used to manage the existing assets accurately. 

Asset inventory management is essential for the efficient control of computer and software assets. IT systems change continuously during their lifecycle. Hardware components may be added or removed; software installed or uninstalled. Even in small IT networks, there will always be growth and change. 

An accurate and current asset inventory’s goal is to have a complete, up-to-date and accurate view of all network components, including PCs, servers, printers, hubs, routers, switches, and software. Ideally, the inventory should capture the device class and what is installed on the device. For any given timeframe, this can provide the actual state of all infrastructure components, which will provide a clear idea of what is owned, operating, and where it is located across the entire enterprise. 

 

Woman looking at computer screen

3. Asset Accountability

Asset accountability covers the classification of software and systems. It also covers the asset owners and other parties (internal or external) responsible for these systems and the data they contain. 

Asset control is also part of this accountability. This helps to ensure that responsibility for the controls protects major information assets such as a customer contact information database that has been assigned. This policy component assumes the major information assets have been identified. Identification of an organization’s major information assets can also occur when risk assessments are performed and when contingency plans are prepared. 

 

4. Asset Protection

Asset protection speaks to the type of computing equipment that may be used to access company systems. Typically, this is defined as company-owned or personal devices. From a security standpoint, most companies opt to require the use of company-owned or company-controlled devices so that security policies can also be easily monitored and enforced. 

Asset protection also covers the type of labeling and identification used to ensure the protection of the device. Most companies will opt for a destruction-proof label or tag that contains the company’s name and who to contact if the device is found, along with an internal serialization mechanism that is tied to the asset inventory system. 

 

Next Steps – Policy Creation and Maintenance for Device & Inventory Management

After you have decided on your basic device and inventory management strategy, the real work begins.

If you do not yet have a policy in place, your first task is to start outlining your processes to cover the items described above. Most companies will defer to their trusted technology advisor to help facilitate the creation of the documents and run initial discovery and documentation of current inventory items. These tasks are often run in parallel because the discovery of previously unknown device types will help steer the policy’s discussion and subsequent content.

 

People looking at paperwork

 

If your company already has a system and policies in place, you should review the policies and their continued applicability annually at the very minimum. Identify gaps in your process and tools and make appropriate changes to ensure that the processes are still relevant. Run an audit to find errors or omissions and think about how you can refine your process to eliminate these gaps.

The ideal scenario is to have a coordinated management system in place that provides real-time data on the devices used in your networks. Most Managed Service Providers (MSP) use a Remote Monitoring and Management (RMM) system along with a Network Management system to perform this function for their clients. Networks are scanned in real-time or at regular intervals to ensure the devices and software assets’ health and find any new items accessing the managed network. 

Using more automated methods helps enforce policy compliance and is an underpinning of a mature, secured environment. 

 

Putting it All Together for Effective Device and Inventory Management

As you can see, a robust and mature device and inventory management program enhances the effectiveness of the entire enterprise. From finance to IT, everyone plays a part and benefits from this substantial investment in your company.   

Does creating an device & inventory management system feel overwhelming? We at Edge Networks know that there are a lot of moving parts and potential pitfalls. Remove the burden of managing your IT with our flat-fee IT managed services programContact us to schedule a free, 30-minute consultation today.

Compliance Mistakes You Don’t Know You’re Making That Can Cost You Thousands

Taking the Fear of Compliance Mistakes out of Regulatory Compliance

The phrase “regulatory compliance” often strikes fear in even the most seasoned executives, but it doesn’t need to be that way.  Education and awareness are critical, so let’s look at the top two regulations that your company may need to think about – Payment Card Industry Data Security Standard (PCI-DSS) and Health Insurance Portability and Accountability Act of 1996 (HIPAA).

 

What is Regulatory Compliance?

Regulatory compliance refers to the steps put in place by an organization to comply with state, federal, and international laws and regulations that are relevant to its business operations. If regulatory compliance is violated,  there can be monetary and even criminal penalties that a company may incur.

 

Cards in pocket

Payment Card Industry Data Security Standard (PCI-DSS)

If your company directly accepts payments for goods or services through payment cards (VISA, AMEX, and Discover for example), you need to have a plan for PCI-DSS compliance.

PCI-DSS was established to prevent credit card fraud. This is accomplished by putting standardized controls (rules) in place at all merchants accepting cards. This is a good thing.  It increases your customer’s confidence because they know you are actively working to protect their card data.

 

There are six control objectives required under PCI-DSS:

1. Build and Maintain a Secure Network and Systems

2. Protect Cardholder Data

3. Maintain a Vulnerability Management Program

4. Implement Strong Access Control Measures

5. Regularly Monitor and Test Networks

6. Maintain an Information Security Policy

 

Let’s quickly break down each of the objectives:

1. Build and Maintain a Secure Network and Systems

Simply put, the company needs to have basic security in place. This means having a firewall and password-protected computers. Do not use default passwords on any systems or software.

 

2. Protect Cardholder Data

If you take orders over the phone, do not leave cardholder information on a notepad or sticky note. Preferably, the numbers would be directly entered into your terminal system or software and never stored, if possible.

 

3. Maintain a Vulnerability Management Program

Make sure you are using up-to-date anti-virus and anti-malware protection on all systems. 

All operating systems must be current and patched. Third-party software must be up to date.

 

4. Implement Strong Access Control Measures

Limit access to and protect equipment used to process transactions. If you must write down card data, make sure it is shredded. Any systems used to process transactions must have their drive destroyed when decommissioning.

 

5. Regularly Monitor and Test Networks

Regular network scans, both internal and external, need to be performed regularly or whenever there is a change to systems or software.

 

6. Maintain an Information Security Policy 

Establish and maintain an information security policy. Review this policy at least annually—train employees on security awareness and social engineering. Screen new employees to limit the incidence of internal breaches. Lastly, have an incident response plan in case of a data breach.

There are a lot of things to consider. If you need help understanding any of these controls, reach out to your IT Security Professional or Edge Networks.

 

Health Insurance Portability and Accountability Act of 1996 (HIPAA)

HIPAA was passed into law to provide a framework to safeguard Protected Health Information (PHI). 

PHI is defined as any piece of information in an individual’s medical records that could be used to identify them personally. Basic examples include name, social security number and date of birth. Many other identifiers are included, and these continue to evolve as more technology is used in healthcare.

If your company is healthcare-focused, then you are very familiar with HIPAA. Your company falls into a group called “covered entities”.

 

People Signing HIPAA forms

There are three main categories of covered entities: Health plans, Clearinghouses and Providers.

  • Health plans include insurance companies, health maintenance organizations (HMOs) as well as employer-sponsored health plans.
  • Clearinghouses are organizations that process health information to conform to the prevailing standards for data content or format. Clearinghouses act on behalf of other organizations.
  • Providers include doctors, clinics, dentists, nursing homes, pharmacies and chiropractors, to name a few. Essentially any organization that submits healthcare-related claims to another covered entity.

You might feel a sense of relief when you notice that you are not on the list of covered entities. However, you may not be off the hook just yet. If you perform work for these organizations, you may be what is known as a business associate, and you must also be compliant. In this situation, you must enter into a contract called a Business Associate Agreement (BAA). 

The BAA details what information your company has a responsibility to protect. A few examples of service companies considered business associates are shredding services, attorneys, accountants, marketing services, and transportation services. This is not an exhaustive list. Please check with legal counsel if you are unsure.

To ensure health data protection is taken seriously, there can be monetary penaltiess associated with unauthorized disclosure of PHI. Penalties are levied based upon severity and negligence of a given disclosure. 

 

There are four HIPAA violation penalty tiers and associated monetary penalties:

  • Tier 1 – A violation that the covered entity was unaware of and could not have realistically avoided, had someone take a reasonable amount of care to abide by HIPAA Rules. Minimum fine of $100 per violation up to $50,000.
  • Tier 2 – A violation that the covered entity should have been aware of but could not have avoided even with a reasonable amount of care. Minimum fine of $1,000 per violation up to $50,000.
  • Tier 3 – A violation suffered as a direct result of “willful neglect” of HIPAA Rules, in cases where an attempt has been made to correct the violation. Minimum fine of $10,000 per violation up to $50,000.
  • Tier 4 – A violation of HIPAA Rules constituting willful neglect, where no attempt has been made to correct the violation. Minimum fine of $50,000 per violation.

 

Money signifying HIPAA Violation Penalty

 

The penalties are adjusted for inflation annually.

Individuals involved in disclosures can also incur criminal penalties. These penalties are based on the severity and negligence involved in the disclosure. If an individual has profited from the theft, access or disclosure of personal health information (PHI), then those monies may also have to be forfeited in addition to the fine.

There are three tiers of criminal penalties for HIPAA violations:

  • Tier 1 – Reasonable cause or no knowledge of violation – Up to 1 year in jail.
  • Tier 2 – Obtaining PHI under false pretense – Up to 5 years in jail.
  • Tier 3 – Obtaining PHI for personal gain or malicious intent – Up to 10 years in jail.

The value of PHI on the black market continues to increase. This has been a big temptation for some individuals given recent economic conditions. Social engineering and malware attacks are on the rise to gain access to this valuable data. 

It is imperative that organizations subject to this Act take appropriate actions to reduce the risk of breaches.

 

Regulatory Compliance Matters

This is just a brief glimpse of the two main regulations that you may encounter in your business. It is best practice to review your compliance policies at least annually, and certainly when a change is made to the regulations.

If your company lacks in-house talent with the detailed knowledge needed to ensure compliance, we recommend that you consult with legal counsel. For the technical and operations aspects, you should reach out to a knowledgeable compliance and technology partner like Edge Networks to assist you with your journey into the compliance world. The investment will immediately begin to pay for itself because you just cannot put a price on your peace of mind. Contact us today for a free, 30-minute consultation.

The Five Critical Components Your Cybersecurity Incident Response Plan Must Have

What Is a Cyber Incident Response Plan?

According to the National Institute of Standards and Technology (NIST) , a government agency that supports and promotes the use of technology to solve human problems, a cyber incident response plan consists of “the documentation of a predetermined set of instructions or procedures to detect, respond to, and limit consequences of malicious attacks against an organization’s systems.”  More simply put, creating a cyber incident response plan means formalizing the exact steps you’ll take as soon as you discover that a cyber incident has taken place.

Having a robust cyber incident response plan in place can save your business time and money, and it can help preserve your business’s reputation if you’re victimized by cybercriminals. Advance planning can boost your organization’s cyber resilience, and increase your peace of mind in the face of today’s most formidable threats.

How can you create the cyber incident response plan that’s right for your business’s size and your IT infrastructure’s degree of complexity? Your plan doesn’t have to be elaborate; it just has to be solidly built so you’ll know what to do in a time of crisis.

 

Cyberattacks can happen to anyone. Be prepared by creating a solid Cybersecurity Incident Response Plan.

No matter whether your business is large or small, no matter what industry you’re in, or where your offices are located, cybercrime poses grave risks to your financial well-being today, and your chances of survival and healthy growth in the years to come. Global losses caused by cyberattacks are predicted to exceed $6 trillion by 2021, putting more money in criminals’ pockets than the trade of all major illegal drugs combined.

Leaders of small and medium-sized businesses may be tempted to believe that they face fewer risks from cybercrime than large enterprises because their profiles—and revenues—are lower, but the latest research shows that they are in fact more likely to be targeted for attack. According to the 2019 Verizon Data Breach Investigations Report, nearly half of all breach victims were categorized as small businesses. The Better Business Bureau reports that as many as 20 percent of smaller organizations will fall victim to cyberattacks in any given year, with average losses totaling nearly $80,000 per incident.

To help you get prepared, we have created a FREE Cybersecurity Incident Response Plan template that you can implement in to your business, which you can find at the end of this post.

Given these nerve-wracking statistics, which remind us that cyberattacks aren’t just possible but are almost inevitable, it’s important to make a plan. Drawing up a comprehensive risk assessment, laying out the specific steps you’ll take in the moment of crisis, and delineating key responsibilities can help you feel more prepared, but it’ll also enable a speedier response. And the faster you can contain the incident and manage its consequences, the lower your overall costs are likely to be.

 

The Five Essential Ingredients

#1: Formalize and Document the Policies and Procedures

In case of disaster, you can’t just wing it. Every aspect of your cyber incident response plan should be concrete, written, and well-tested. Though you’ll want to include detailed steps and procedures to follow, you’ll also want to spell them out simply.

Keep in mind that stakeholders across the entire organization may have roles to play in identifying, containing, and responding to the incident, even those whose typical job responsibilities don’t have anything to do with IT, and that incident response team members are likely to be under a great deal of stress. Documentation should be clear, brief, and very specific, so that steps are easy to follow, even when the pressure is on.

 

#2: Build a Rock-Solid Team

You’ll want to establish a computer security incident response team (CISRT) within your organization.

Team members will be responsible for technical incident response procedures (identifying that an incident has occurred, analyzing logs to figure out exactly what happened, repairing systems, and removing the means by which the attack was accomplished) as well as internal and external communications (exchanging information with employees, law enforcement, affected customers, and senior management, for instance), so you’ll want to include IT security staff and draw on resources in other departments as well.

Some team members should be skilled in marketing/public relations, human resource management, and providing legal counsel. A managed service provider can supplement your in-house expertise if your technical security team isn’t large enough to meet your incident response needs.

 

#3: Establish Communications Guidelines

One team member should be charged with the responsibility for authorizing when and how details about the incident are to be disclosed. It’s also a good idea to have legal counsel review any notification letters or other disclosures before they’re made public. Have a plan in place for how you’ll accomplish this, as well as a set of guidelines for what you’ll say.

Be sure you have recorded the contact information for anyone you might need to communicate in a place that’s separate from any systems that might be affected by a breach. This could include contacts at regulatory bodies whose requirements you must meet, as well as all members—both internal and external—of your incident response team.

 

#4: Outline Concrete Technical Steps

From incident discovery and classification to containment and recovery, you’ll need a playbook detailing specific steps within incident response protocols that you expect your security team members to follow.

You’ll want to collect all relevant log data so that it can be audited, and review all alerts generated by the security tools in your network environment. You’ll also need to elaborate the testing and validation procedures you’ll rely on after forensic analysis is complete to certify that all systems have been restored to secure operational status.

 

#5: Practice Makes Perfect

Technologies are constantly changing, as are attackers’ strategies and techniques. At a bare minimum, your team should revisit your cyber incident response plan once a year. Update it to reflect your current IT environment, the current threat landscape, and your current risk profile. Any incidents that do take place should be examined at length. Afterwards, make technology updates or policy changes to safeguard against similar attacks in the future.

It’s also a good idea to conduct scenario-based testing exercises to make sure that your incident response plan can be relied on in times of need. These can be simple or elaborate, and offer team members the opportunity to evaluate—and improve—their preparedness without facing an actual incident or attack.

Developing a cyber incident response plan doesn’t have to be complicated. Having one can make a dramatic difference in your level of preparedness, your overall vulnerability, and your peace of mind. A managed IT service provider with cybersecurity-specific experience will have a great deal of practical knowledge in cyber incident response procedures, and can guide you in building the very best plan to meet your business’s needs, from the ground up.

 

Download Your Free Incident Response Plan