spector, Author at Spector

The Top Supply Chain Vulnerability: People

Supply Chain Employee Risk
Photo by Jeriden Villegas on Unsplash

Reading Time: 4 Minutes
The supply chains of this digital era are long and complex, and any disruptions caused by security threats will have a massive impact on the entire organisation. While supply chains are prone to different types of external risks, such as supply disruption, high demand, financial instability, etc., businesses can usually plan against them and ensure continuity. What most companies often overlook are the internal threats arising from malicious or negligent employees within a company.

The risk of someone infiltrating your systems through an external vendor is at an all-time high right now. Since you are not in direct control of the employees who work for your vendors, you might find it more challenging to mitigate the people risks in your supply chain. However, this does not mean that supply chain risks cannot be mitigated at all. With proper security awareness training extended to your vendors and the building of a resilient defence against various threats, supply chain risks can be reduced to a great extent.

Related Article: Biggest Cyber Security Risk – Your Employees

The most significant vulnerability in a supply chain is the human element, so let’s discuss the different measures you can incorporate to overcome this risk.

Why Hackers Target Supply Chains

Cybersecurity risks targeting the supply chain of an organisation have grown exponentially worse over the years. As the pandemic lockdown took effect, supply chain cybersecurity risks increased by about 80% during the second quarter of 2020, with remote working scenarios making things worse for suppliers. However, there are some specific reasons why hackers target the supply chains of large organisations.

With most large organisations now taking adequate precautions against various cyberthreats, gaining access through the front door isn’t as easy as it used to be for hackers. On the other hand, the supply chain offers cybercriminals a creative way to infiltrate a large organisation.

Recommended Read: Recommended Best Practices to Secure your Supply Chain

Small vendors often don’t have the budget to invest in extensive cybersecurity measures. Moreover, these companies are also likely to have legacy hardware and software products that can be exploited in an attack. As a result, these vendors tend to act as a conduit for cybercriminals to inflict a bigger attack on a large organisation.

People Risks Originating From Supply Chains

The employees working in these supply chains often offer the path of least resistance to attackers. Although organisations have well-defined processes to vet and evaluate their suppliers and third-party vendors, it isn’t easy to measure the risks originating from the people who work for these companies. Moreover, organisations don’t have a centralised view of the third-party members accessing their applications and critical data. 

An employee opening an email containing a malicious link and clicking on it can inject a botnet into the IT environment or download a ransomware program. These types of phishing emails can also be used to steal an employee’s login credentials or conduct social engineering attacks. Once these attackers gain a foothold in the IT environment of the vendor, they can use it as a backdoor entry to a larger organisation and infiltrate their IT networks. 

Learn how to avoid Phishing and Suspicious emails.

In addition to potential phishing scams, other activities like using unsecured Wi-Fi networks or personal devices for work in the supply chain can also create significant security issues. Opportunistic cybercriminals look forward to exploiting any possible loophole in an organisation’s security. When these threats carry on from your vendor’s network to yours, it has the potential to disrupt your operations and damage your reputation.

Mitigating Internal Risks in the Supply Chain

Most organisations already have formal programs to assess and manage third-party risks. However, these programs are not always adequate to deal with employee risks. For instance, companies have questionnaires for their vendors regarding their security requirements. A survey by Riskrecon has estimated that only 14% of companies believe the questionnaire responses regarding security from their third-party vendors.  

In this scenario, additional measures are required to deal with the human risks that third parties pose. Follow these measures to mitigate your risks:

  • Limit access to critical information: Many third-party users require access from your end to perform their tasks. However, this access must be limited to their job roles. You also need to have a full list of individuals accessing your information and the type of information they are accessing. 
  • Extend security awareness training to vendors: The cybersecurity awareness training you have for your internal employees should also extend to members of your third-party vendors. There should be strict guidelines on security measures that should be followed by everyone accessing your data. 
  • Create a backup strategy: One of the best ways of mitigating data security risks is by backing up your critical data. You need to be prepared for the worst possible scenarios and have a disaster recovery strategy to get your operations up and running immediately after an unexpected attack. Learn how to create an effective backup and disaster recovery strategy.
  • Audit your vendors regularly: Choosing your third-party vendors is not a one-and-done process. Regular audit of your vendors and business partners will expose new vulnerabilities in their systems.

Secure Your Critical Data 

With supply chain risks at an all-time high, you need a trusted partner by your side to protect your data from all kinds of human threats emerging from the supply chain.

Our expertise in data security and storage can help you overcome supply chain obstacles and secure your data from all kinds of threats. Give us a call now!

Data Sources:

 

Monitor, Test, Restore – Making Sure Your Backups Are Ready! 

Monitor Backup Restore

Reading Time: 4 Minutes
Backups play a critical role in any data protection strategy. If you are counting on your backups for disaster recovery and business continuity, unexpected backup failure can prove to be disastrous for your business. Especially when backups are scheduled automatically, you risk falling victim to media failure, software issues, cyberattacks or even a simple human error. A study estimated that three-fifths of backups are incomplete, and nearly half of all data restoration efforts result in failure. 

Related Article: Backup Strategies to Prevent Data Loss

Fortunately, backup failure can be avoided to a great extent through consistent monitoring and frequent testing. This, in turn, will ensure proper restoration of your data when disaster strikes. To ensure complete restoration of your data, you need to have a comprehensive plan for monitoring and testing your backups. In this article, we’ll explore the step-by-step process involved in monitoring your backups, testing them and ensuring full restoration during an unexpected disaster. 

Backup Status Monitoring

Most businesses that rely on data for their everyday operations have a consistent schedule to back up their generated data. Depending on the importance of the data stored, this schedule may vary from once every few hours to once a week or even longer in some cases. However, if your backup fails at some point, you might lose your data till the moment of its last successful backup. By identifying these weaknesses early, you can mitigate your overall losses and fix the issues.

This is why backup status monitoring is vital. Failing to monitor your backups might result in a snowball effect that could continue unabated until it gets detected.

How to prevent this

You must make backup monitoring part of your backup strategy. Although monitoring is an essential activity, most businesses cannot afford to perform it on an everyday basis. The frequency of monitoring can be based on your recoverability objectives. For instance, if you are dealing with critical data essential to your business, you could set up monitoring every week. This will help you identify any problems instantly and allow you to fix them without affecting your backup goals. 

Backup monitoring for remote workers

When employees work remotely, implementing a backup system for all their devices can be a bit challenging. However, this does not mean that you have to compromise on the safety of your data. The Cloud also needs to be part of your backup strategy. More specifically, a 3-2-1 approach is recommended, where you have at least three copies of your data – two on different platforms and one at an offsite location (Cloud). With a centralised remote monitoring and management tool, you can get total visibility into your backup tasks and remotely monitor and validate them. 

Read: The Importance of Secure Cloud Backup for Remote Workers

Backups

Spot Checking for Accuracy and Quality 

This is a relatively simple approach used in backup testing. Once you have backed up everything in your environment, you can go to the backup drive or Cloud to ensure that the files or folders are available there. If you cannot access any of the files, you might have a problem with your backups. In such cases, you need to check your backup configuration and drives to ensure everything is functioning correctly. You should perform these backups in multiple areas to ensure everything is running smoothly.

Full Restore Testing 

This method is more advanced than spot-checking, and it tests your ability to recover from complete data loss after a disaster. To perform this, you need to prioritise critical files essential to your immediate recovery and test them successfully. 

Prioritising files and folders for testing

When prioritising data for testing, you need to begin with data, applications or systems that have a low Recovery Time Objective (RTO), which refers to the maximum allowable time or duration within which a business process must be restored. These files and systems are the ones your business can’t go long without and are typically associated with the core activities. So if you can recover this data quickly, you can resume operations and avoid downtime.

How much does downtime cost your business? Learn with our Downtime Calculator

Determine the testing approach

There are various aspects to consider when testing your backups. For instance, you can create individual scenarios of virtual machines and test their ability to recover a system. You could also consider a disaster recovery approach in testing that simulates the entire environment and performs various scenario-based recovery tests. 

Here, the ultimate goal of testing is to verify the integrity of the backups you have created. You need to choose a suitable testing approach for your business that better reflects your IT environment.

Frequency of testing

How often should you test the integrity of your backups? That’s another big question you need to ask once you have decided to proceed with the testing process. For this, you need to consider various factors like workload, applications, systems, etc., in your environment and develop a testing schedule that works for you.

In addition, you need to consider your Recovery Point Objective (RPO), which is the maximum duration your business can survive after a disaster. Always make sure that the frequency of testing is well within your RPO if you wish to conform to the parameters of business continuity. For instance, if your RPO is 24 hours, you need to test your backups at least once a day to ensure a good copy of data is available to recover from a loss.

A Backup Solution That You Can Count On

The last thing you want during a disaster recovery process is to find out that your backups have been failing for a long time. By monitoring and testing your backups regularly, you can overcome this issue and rely on your backups at the time of need.

Most importantly, you need to invest in the right backup solution that ensures full recoverability of your valuable data. Reach out to us today and count on us to build a backup solution that is tailor-made for your business.

 

Data Sources: 

Data Protection Regulations: The ‘New Normal’ For All Businesses

Data Protection Regulations
Photo by Alexander Kovacs on Unsplash

Reading Time: 3 Minutes
In today’s global information economy, your business data is the golden goose chased by cybercriminals. Given how this data has an endless life, who can ensure that it isn’t exploited for unsavoury gains? Well, governments worldwide have stepped up to the plate. 

The implementation of the General Data Protection Regulation (GDPR) in 2018 by the European Union (EU) opened the floodgates for this global wave of change. Such was the impact of GDPR holding businesses accountable for data protection and privacy that today, 132 out of 194 countries have put in place legislation to ensure the security of data and privacy, as per the United Nations Conference on Trade and Development (UNCTAD). 

Related Article: GRC Fines, Penalties and Violations – Oh My!

Wondering how is this related to compliance and your organisation? Any business in the world, including yours, must comply with at least one data protection and privacy regulation. Whether you are a local or a global company, you must understand that ignoring this international consensus can leave your business’ future in the lurch. 

Give us a few minutes, and we’ll help you understand the difference between data protection and privacy, the prevalent global awakening and how it’s time for you to be smart about compliance. Let’s hit the ground running! 

Data Protection Versus Privacy: Related But Not The Same 

While data protection is about securing data from unauthorised access, data privacy is related to how authorised access is defined – who can access the data and the ways in which they can manage it. Your business must understand this distinction and the fact that the existence of one doesn’t eliminate the need for the other. 

Dig deeper with our article: Data Protection vs Data Privacy – A Closer Look

While you might avail the right technology to build a robust data protection posture, it still might not ensure the privacy of personal data in compliance with regulatory standards. Even authorised individuals who can access the data could also exploit it. Simply put, you must deploy the right technology and the right policies to ensure every bit of data you store and process remains secure and private. It’s time to quit stalling and start moving forward with proper security and privacy standards.

A Global Awakening

UNCTAD data also showcases how 66% of countries already hold legislation on data protection and privacy, while 10% have drafted one, and the remaining countries are likely to follow suit. Do not ignore this global consensus assuming that it would not impact your business as you would not be operating outside your home country. Even if you are not based in Europe or in a country where the legislation is active, it’s not going to be long before your state’s or country’s government decides to take the plunge themselves. 

Here’s just a glimpse of where regulation is in place or will be eventually implemented:  

  • Australia: The Privacy Act (1988) 
  • Brazil: General Personal Data Protection Act (LGPD – 2018) 
  • Canada: Personal Information and Protection and Electronic Documents Act (PIPEDA) 
  • China: Personal Information Security Specification (2018) 
  • The European Union (EU): General Data Protection Regulation (GDPR) 
  • Japan: Act on the Protection of Personal Information (2007) 
  • Kenya: Data Protection Bill (drafting in progress) 
  • Nigeria: Data Protection Regulation (2019) 
  • Russia: Federal Law Regarding Personal Data (2006) 
  • Singapore: Personal Data Protection Act (2012) 
  • South Africa: Protection of Personal Information Act (2013) 
  • South Korea: Personal Information Protection Act (2011) 
  • Thailand: Personal Data Protection Act 
  • Uganda: The Data Protection and Privacy Bill (2015) 
  • Uruguay: Law on the Protection of Personal Data and Habeas Data (2008) 

Countries currently deliberating a regulation include Argentina, Chile, Ecuador, India, Malaysia, New Zealand, Switzerland, USA (a federal legislation) and more. 

That’s 50 countries already! Could this phenomenon be any more global? 

Cyber Security Assessment
Photo by Annie Spratt on Unsplash

Be Smart. Start Now! 

Compliance is an intelligent business, even if it is complex and unfair. Therefore, keeping it on the backburner is just an open invitation to trouble. How much do you value the reputation and integrity of your business? Please remember that your failure to demonstrate compliance with just one regulation standard alone can take your business straight into a dark phase of uncertainty. You can suffer losses in the form of license cancellations, hefty fine(s), damage to reputation, expensive lawsuits, and loss of business.

Watch video on our LinkedIn: Top 5 GDPR Fines Issued so Far

Let A Trusted Partner Help You

It takes special skills and tools to look ‘under the skin’ of your network to ensure it is both secure and compliant. It helps having a trusted partner that has managed both cybersecurity and compliance for businesses before. You will sleep better at night knowing your data is protected and precisely in the manner regulations need it to be. 

You are just one step away from assessing your compliance needs and addressing them. Call us today. Let’s talk compliance! Our team will understand your needs and help you get where you want with small, actionable steps. No challenge is too big to tackle, and you can take your business to the next level!

How Can Cyber Resilience Protect SMEs in Ireland?

Resilience
Photo by Dan Stark

Reading Time: 3 Minutes
Small and Medium Businesses (SMBs) usually invest less in cybersecurity, making them easier targets for cybercriminals. Close to 30% of businesses experience a cyberattack at least once per week.

The need for constant vigilance and defence against hackers has led many SMBs to complicate cybersecurity matters. Though the percentage of businesses that have adopted formal, business-wide incident response plans has increased from 18% in 2015 to 26% in 2020, the ability to contain an actual attack dropped by 13%. This is because: (1) businesses do not consistently test threat-readiness of incident response plans, and (2) many of them use too many security products that hamper the ability to identify and respond to a cyberattack.

It is here where a cyber resilience strategy can help organisations protect uptime and recover from incidents faster. Some people use the terms cybersecurity and cyber resilience simultaneously, but the meanings are different.

Learn: What can a Cyber Security company do for my business?

While cybersecurity primarily aims at blocking nefarious cybercriminals from attacking your network, cyber resilience is more about planning, defending, responding to and recovering quickly from a cyberattack. Endpoint protection, email security, network security, backup and data recoveryidentity and access management and a host of other critical solutions together fuel a comprehensive cyber resilience strategy. 

Arm Your Business with Cyber Resilience

The cyber threat landscape is evolving at lightning speed and traditional security measures can’t keep up with it. Experts have predicted that a ransomware attack occurs every 11 seconds in 2021. The only way forward for businesses, including yours, is to draft a cyber resilience strategy that highlights ways to move forward in the face of a cyberattack. 

Your business is cyber resilient when: 

  • You’ve implemented measures to guard against cyberattacks
  • Proper risk control measures for data protection get deployed
  • Hackers cannot severely disrupt business operation during or after an attack

The major components of a cyber resilience strategy are:

Threat protection

By deploying efficient attack surface management and risk management, you can easily take your business through the path of cyber resilience. Doing so helps you minimise first-party, third-party or fourth-party risks arising from data leaks, data breaches or misconfigurations. Additionally, assessment reports identify key risk areas that require attention. Our process is supported by our Gap Analysis, which will tell you exactly where you are and what’s missing to reach your goal.

Adaptability  

Cybercriminals are shapeshifters who constantly change their devious tactics. Ensure your business can adapt to emerging cyber threats. 

Recoverability  

Your business must have all the necessary infrastructure, including robust data backups, to quickly bounce back after a security incident. Conducting mock drills that let you understand the employee readiness to counter cyberattacks is also essential. Learn why Backup Strategies are vital.

Durability 

Your IT team can improve the business’ durability through constant system enhancements and upgrades. No matter what strategy the criminals use, prevent their actions from overwhelming you through shock and disruption. 

Modern approach to IT

5 Ways Cyber Resilience Protects SMBs

Adopting cyber resilience proves beneficial before, during and after cyberattacks. Five ways cyber resilience protects SMBs:

1- Enhances system security, work culture and internal processes

By implementing a cyber resilience approach within your business, you can easily design and develop strategies tailor-made for your existing IT infrastructure. Additionally, cyber resilience improves security within each internal process, so you can communicate desired behaviour to employees.

2- Maintains business continuity

Cyber resilience ensures that operations are not significantly affected and business gets back to normal after a cyberattack. 

3- Reduces financial loss

The financial damage caused by a breach can be so severe that businesses go bankrupt or even close. Cyber resilience keeps threats in check, reducing the chances of business disruption and limiting financial liabilities. 

4- Meets regulatory and insurance requirements

Cyber resilience helps keep your business out of regulatory radars by satisfactorily following all necessary criteria. Also, complying with regulations can be beneficial to your organisation for cyber insurance claims. 

5- Boosts company reputation

Having cyber resilience by your side gives you better control in the event of a successful cyberattack. It helps you block attacks, bounce back quickly if an incident happens and minimise the chaotic aftereffects of a breach. This improves your business reputation among partners and customers. 

Don’t worry if the concept of cyber resilience is tough to crack. We can guide your business to and through cyber resilience. We can begin with a discovery call to learn about your concerns and requirements and follow with a Gap Analysis to identify precisely the main points that need to be prioritised. Wherever you are in the world, we’ll be more than happy to assist, so talk to us and count on us!

Article curated and used by permission.

Sources:

1. Infosecurity Magazine 

2. The 2020 Cyber Resilient Organization Study 

3. JD Supra Knowledge Center

Importance of Secure Cloud Backup Solution for Remote Users 

Secure Cloud Backup Solution
Photo by Sigmund on Unsplash

Reading Time: 4 Minutes
A Secure Cloud Backup Solution is no longer a luxury – it’s a must. In today’s world, businesses gather, analyse and process large volumes of digital data on an everyday basis. From identifying typical customer behaviour to creating campaigns that target the right audience, business data plays a critical role in the day-to-day functioning of a company. Considering the critical need for data, businesses cannot afford to lose their data at any cost. However, data loss is quite common owing to various factors such as natural disasters, human errors, security breaches and more. If you expect your business to continue operations even after a catastrophic data loss, cloud-based data backup is the best option for you. 

Recommended Read: Why Security Awareness Training is Essential for Backups

Since threats to business data have skyrocketed in this new remote working age, the need for the cloud to be a part of the backup solution has become extremely important for businesses of all sizes. According to Microsoft, 94% of companies report security benefits after moving their data and services to the cloud. This is the main reason why organisations have started embracing cloud technology at a dramatic phase.

This short read will provide you with some decisive insights about the importance of cloud backup, especially in remote working environments, and how you can bolster your cybersecurity with a proper cloud strategy.

Need for Cloud Backup During Remote Work 

It’s one thing to lose your data during a cyberattack or another unexpected event, but losing your integrity and goodwill is an entirely different ballgame. All the years of hard work you invested in building your company will be in jeopardy if you suffer a loss of customer data. When your customers have no reason to trust you, they will take their business elsewhere rather than waiting for you to bounce back. Whether it is an ordinary human error or a deliberate cyberattack, the risk of losing your critical data is significantly higher when your employees are working remotely. 

The 2020 User Risk Report by Proofpoint has estimated that about 45% of employees in the United States believe that public Wi-Fi networks are safe for work. This number is likely to be close to what we see in Ireland. When you don’t control the environment in which your employees operate, the risk is much higher and stands as an indication for you to take suitable data security measures.

Security solutions such as antivirus, firewall, patching, etc., can only get you so far. What if there is a manual oversight or a natural disaster? Human error also plays a significant role in many security breach incidents. In such situations, the survival of your business depends on your ability to bounce back fast with the help of backed up data. This is why you need a business continuity and disaster recovery solution through cloud-based data backups.

Learn more about Business Continuity and Disaster Recovery 

Best Practices for Cloud Backup 

When you use the 3-2-1 backup rule, cloud storage inevitably becomes a part of your backup strategy. As per this rule, you make three copies of your data, store two copies on different media (e.g., hard drive and local storage appliance) and store one copy off-site in the form of cloud backup. You may also expand this rule by storing multiple copies of your data in different cloud locations. 

Apart from the data storage rule, the following best practices could guide you with your backup planning: 

  • Know your recovery objectives: In case of data failure, you need to know how quickly you can recover before your losses become irrecoverable (Recovery Time Objective) and how much data can you afford to lose from your last backup time (Recovery Point Objective). This helps you come up with a solid plan that ensures business continuity and disaster recovery. 
  • Prioritise your data: Businesses store all kinds of data every day. But which data is critical to your business recovery? Your backup plan should prioritise that first and then proceed with other data. A good cloud backup plan should outline different strategies for different kinds of data. 
  • Monitor your backup process: What’s worse than losing your data during a data loss event? Finding out that the backup data you have diligently stored is corrupted. You don’t want to be in such a position, especially after a catastrophic data loss. You need to monitor your backup process to ensure your backup operations are carried out without a glitch.
  • Test your backup and recovery: To ensure everything works as planned when disaster strikes, testing is a must. It is also a great way to identify the issues in your backup process and should be a part of your regular backup plan. Learn more about backup best practices.
  • Backup your SaaS data: Your G Suite and Office 365 data is secure. However, there is a misconception that these don’t need any backups. Although your SaaS vendors are responsible for providing the backup infrastructure, they do not guarantee the safety of your data or take accountability for any financial losses resulting from it. Make sure your backup plan has a strategy for your SaaS data as well.  

Migrating Cloud

Partnering With a Reliable Cloud Backup Provider 

With the volume of critical data increasing every day, businesses often face challenges protecting this data from unauthorised access. Cloud backup is the best way to ensure that vital data is always available in case of an unexpected disaster.  

Apart from ensuring data security, cloud storage can also make your backup process more efficient and cost-effective. To make the most of your cloud storage benefits, you want to have a trusted partner who you can rely on when things go south. 

This is where we come in. Our years of expertise in data backup and cloud storage can help you protect your business data in an incredibly effective way. Give us a call today and find out how we can help build your cloud backup plan and secure your data so you can access it anytime, from anywhere. 

 

Data sources: 

Potential Risks That Insider Threats Pose to PII 

Cyber Security

Reading Time: 5 Minutes
Personally Identifiable Information (PII) refers to any information maintained by an agency that can be used to identify or trace a specific individual. In other words, it includes data points such as social security number, date of birth, mother’s maiden name, biometric data, tax identification number, race, religion, location data and other information that can be used to deanonymise anonymous data.

If your organisation handles Personally Identifiable Information, you must take steps to secure your customer data. Not only is it essential from a compliance standpoint, but with security breaches on the rise, you have to make sure customer PII is not being compromised. Risk-Based Security revealed that by the end of 2020, a total of 36 billion records had been exposed and compromised. Of such data breaches, 60% are caused by insider threats or security threats originating from within an organisation. To make things worse, reports indicate that the number of insider incidents has increased by 47% over the last two years.

Related Article: Protecting your Business-Critical Data from Human Threat

Let’s deep dive into the potential risks that insider threats pose to Personal Identifiable Information, especially for healthcare and financial institutions, and how you can protect your organisation against such threats.

Potential Risks

An insider threat is a security risk that originates from within your organisation and is usually someone with authorised access misusing data (intentionally or unintentionally) to harm your company or your customers. The culprit could be any individual who has authorised access to confidential and sensitive company information, right from your present or former employees to consultants, partners or contractors.  

If you don’t secure your employee or customer PII, you leave yourself vulnerable to data breaches. Insider-led data breaches are widespread and can happen in multiple ways – from a negligent employee inadvertently downloading malicious malware to a disgruntled contractor selling customer data on the Dark Web to make money.  

Read: Your Biggest Cyber Security Risk: Your Employees

Insider-led data breaches are hard to detect because the threat actors have legitimate access and are probably familiar with your cybersecurity defence tools as well. It is much easier for them to circumvent your defences, access sensitive customer data and expose it. 

As a healthcare or financial institution, if your customer personal identifiable data is exposed, it can cause a great deal of trouble to both your company and your customers. Let’sLet’s look at some of the potential risks: 

Risks to Your Company

Reputational damage

According to a study by Ponemon, 44% of companies believe it takes anywhere from 10 months to over two years to restore a company’s reputation after a breach. This is bound to be worse for healthcare or finance institutions since the data collected is extremely personal and sensitive. Even if you respond promptly and adequately to your customers regarding a data breach, it could still result in a PR disaster and a decline in the customer base. 

Financial loss

The average cost of a data breach in the U.S. is $8.19 million. Some of the consequential costs that companies find themselves paying include compensation to affected customers, fines and penalties for non-compliance with regulations such as GDPR, expenses for forensic investigations and more. On top of that, the valuation of your company could tumble as well. 

Ransomware costs

A malicious insider who gains access to your data systems can steal sensitive customer PII from your network. Once your systems are hacked, the cybercriminal can block access to your data and then threaten to sell the information on the Dark Web if you don’t pay the ransom. Malicious insiders could be current or former employees or an outsider who uses or manipulates an unsuspecting employee to get past your security perimeter. Learn more about Ransomware and its risks.

Operational standstill

Data breaches have the potential to paralyse your business operations. You will have to conduct a detailed investigation to determine what data has been compromised and the cause behind the breach. In case data has been lost, you will have to take steps to recover it. Furthermore, you may be faced with expensive lawsuits and settlements. Unless you have substantial emergency resources, you will have to halt your business operations temporarily.

Multi-Factor Authentication

Risks to Your Customers

Identity theft

Cybercriminals may acquire sensitive customer data and use it to their advantage. For instance, they could use your customers’ credit card numbers, social security numbers, health plan beneficiary numbers or biometric identifiers to impersonate them to commit fraud or gain financial benefits. Learn more about Identity Theft.

Social engineering attacks

Data breaches could uncover your customers’ PII, especially sensitive data, such as name, address, contact details, date of birth and so on, that could end up on the Dark Web. Cybercriminals might use this data to launch social engineering attacks on your customers. The attackers may then psychologically manipulate or trick customers into sharing their confidential details. Learn how to avoid Phishing attacks.

Blackmail campaigns

Data breaches could result in sensitive medical information, such as psychotherapy reports or blood test reports, being leaked online. Cybercriminals could then use this type of information to run blackmail campaigns against your customers.

How to Secure Personally Identifiable Information

With the insider threat landscape constantly evolving, businesses need to step up and secure PII and other sensitive data more effectively. By failing to do so, you could end up putting the future of your customers, employees and company in grave danger. Here are a few tips to help you get started:

  • Use behavioural analytics to set up unique behavioural profiles for all insiders and detect insiders accessing data not associated with their job functions.
  • Implement access and permission controls to review, revise and restrict unnecessary user access privileges, permissions and rights. 
  • Review the PII data you have already collected, where it is stored and who has access to it, and then securely delete what is not necessary for the business to operate. 
  • Set up an acceptable PII usage policy that defines how PII data should be classified, stored, accessed and protected. 
  • Make sure your PII policy is compliant with different privacy and data regulations that apply to your business.  
  • Upgrade your storage holdings to ensure the data lives in a SOC2-protected data centre.
  • Cut down on inadvertent insiders by implementing mandatory cybersecurity and data security training programs. 
  • Make use of software that will help you protect PII, such as third-party risk management solutions, data loss prevention tools, Dark Web monitoring applications and secure documentation solutions, among others.

Taking adequate measures to secure personally identifiable information can significantly strengthen your cybersecurity posture against insider threats.

Protecting your customers’ PII is a challenging task, but one that has to be taken seriously. If you’re looking for expert assistance to take this weight from your shoulders, look no further. Get in touch today to speak to one of our specialists and learn how we operate. We’ll be happy to offer a tailored solution to handle your cyber security, compliance and technology development.

 

Data Sources: 

 

 

 

Data Privacy Versus Data Security: A Closer Look 

Data Privacy versus data security a closer look
Photo by Leon, on Unsplash

Reading Time: 4 Minutes
The importance of data privacy and data security has grown exponentially as organisations today collect and store more information than ever before. Having a robust data protection strategy is critical to safeguard confidential information and ensure the smooth functioning of your business. But before we move on, let’s take a step back to understand the fundamental concepts of data privacy and data security.    

Recommended Read: Protecting your Business Critical Data from Human Threat

The terms data privacy and data security are often misunderstood and used interchangeably. However, they are two separate concepts! Data privacy focuses on how information is handled, stored and used, while data security is concerned with protecting your organisation’s assets. 

Understanding Data Privacy 

Data privacy deals with the regulations and practices to ensure data is responsibly handled. It includes how information is collected, processed, stored and disseminated. Any organisation that collects and stores data or does business across the globe should comply with several privacy regulations, such as General Data Protection Regulation (GDPR), California Consumer Privacy Act (CCPA), Health Insurance Portability and Accountability Act (HIPAA), Payment Card Industry Data Security Standard (PCI DSS), Children’s Online Privacy Protection Act (COPPA) and other privacy laws.  

These regulations aim to protect and enhance consumer and personal privacy. These rules give individuals the right to know what information is collected, why it’s collected and how it’s processed. As data privacy regulations are growing globally and becoming more complex, privacy requirements are also changing. Non-compliance with these laws could cost your business dearly. In 2019, Google was fined $57 million under the European Union’s GDPR law. Click to learn more about penalties, fines and violations regarding compliance. 

Importance of Data Privacy 

Data privacy is an individual’s right to control who has access to personal information and how it should be used. This also protects personal data from being sold or redistributed to third parties. When organisations collect customers’ data, it is their responsibility to protect and preserve their clients’ sensitive information. Not having a privacy policy in place or failure to comply with privacy laws can lead to severe consequences, apart from legal actions and financial loss. 

Understanding Data Security 

Data security is the process of protecting information from unauthorised access, data corruption and data loss. A data security process includes various techniques, data management practices and technologies that act as defence mechanisms to protect data from internal and external threats.  

Read: Protecting your SaaS Data is your Responsibility

Data security concerns with what an organisation does with the data collected, where and how the data is stored and regulates who can access the information. A comprehensive data security strategy will help prevent data breaches, ensure business continuity and keep your company’s data safe from cyberthreats. 

Importance of Data Security 

The term “Data is the new oil,” coined by Clive Robert Humby in 2006, stands true in today’s competitive business environment. Data security is critical for the smooth functioning of day-to-day operations and running a business successfully. Failure to protect your organisation’s confidential data can damage your brand’s value, result in regulatory penalties or shut down your business.  

The alarming rate at which cyberattacks are growing has forced organisations of all sizes to consider data security as a top priority. It is estimated that organisational spending on cybersecurity has reached $123 billion in 2020.  

Depending upon the purpose, type of industry or geographical location, your business can implement security compliance frameworks and international standards, such as the National Institute of Standards and Technology (NIST), the International Organisation for Standardisation (ISO) and Payment Card Industry Data Security Standard (PCI DSS). These frameworks provide guidance and best practices for information security to help you assess IT security measures, manage risks, respond to security incidents and improve your information security management system. 

Server Management Monitoring Support

Difference Between Data Privacy and Data Security 

In simple terms, data privacy and data security are two sides of the same coin. They have distinct concepts but are closely related. Achieving data security doesn’t ensure data privacy and vice versa, but both are required to establish a comprehensive data protection strategy. Knowing the difference between these terms will help you strategise better, prevent data breaches and stay legally compliant. 

Let’s distinguish the two concepts with a hypothetical example. 

Assume you own a laptop, where you store personal information. To avoid people from accessing those files, you pasted a sticker on the cover that reads ‘Do Not Touch’. But to add an extra layer of privacy, in case people don’t read or ignore the sticker, you locked the computer with a secure password. 

There are two things to note here. First, the ‘Do Not Touch’ sticker tells people to keep away from your laptop, thereby authorising your privacy. Second, the password ensures no one can access your data, thereby protecting your data from unauthorised access. 

Find the best advice for creating strong passwords with this article.

How to Achieve Data Privacy and Security While Being Legally Compliant 

Achieving data privacy and data security and complying with several laws have their own set of challenges. Even large organisations struggle to understand and implement the proper security management and compliance measures.  

But that shouldn’t be the same for your business. To learn how you can achieve and maintain compliance for data privacy and security, contact us today.    

 

Data Sources: 

 

 

Why Security Awareness Training Is Essential for Backups 

Specialist IT Support

Reading Time: 3 Minutes
According to IBM’s 2020 Cost of Data Breach Report, human error causes nearly 25% of data breaches, meaning that a negligent employee can become a tangible threat to your business’ invaluable data. The only way to prevent your employees from compromising your business data is by providing regular security awareness training. Conducting a one-time training program will not suffice amid today’s ever-changing threat landscape.

Related Article: Navigating Backups and Training during unprecedented times

Cybercriminals are waiting to exploit your business’ vulnerabilities, one of which could be your employees. There are multiple ways your negligent employees could jeopardise the security, integrity or accessibility of your business data, including: 

  1. Password reuse: Reusing the same password for multiple accounts is a widespread poor password habit utilised by careless employees. Unaware of the security consequences, the average user uses the same password across an average of five account logins, both personal and business, according to Ponemon research. Learn more about password security here.
  2. Accidental sharing and exposure: A moment of carelessness can lead to an employee sending data to a cybercriminal. This can have severe ramifications and lead to your sensitive business data ending up in the wrong hands. 
  3. Falling for phishing scams: Since the start of the COVID-19 pandemic, phishing attacks have gone up by over 60%. An untrained employee may find it difficult to detect these deceiving scams, leading to the leakage of sensitive business information. Learn how to identify a phishing email here.

You must intentionally develop a security-focused culture within your organisation through comprehensive and continual security training if you wish to avoid or mitigate unplanned downtime or disruptions due to data loss incidents. Employees consistently exposed to security training are more likely to follow cybersecurity best practices, thereby ensuring your business data is not left in the lurch. 

Read: Protecting your Business-Critical Data from Human Threat

Implementing security awareness training is as vital to preventing data loss incidents as having a robust backup strategy. Backups can help you recover mission-critical data quickly in the event of data loss or corruption event that may impact your business and could save your business from losing crucial revenue or clients. In addition to safeguarding critical business data, a robust backup can also ensure that: 

  1. You have access to complete copies of your business’ data assets in one place 
  2. You can significantly reduce business downtime following a data loss incident 
  3. The overall confidence in your business increases among customers and partners 

Recommended Read: How Backups and Disaster Recovery Protect SMEs

An effective backup strategy is characterised by multi-layered mediums and failover options, proper policy and procedure development, regular testing, and the implementation of comprehensive and consistent security awareness training.  

Regular Training Limits the Need to Excessively Depend on Backups  

Cybercriminals are experts at exploiting global events to scam people and businesses. The COVID-19 pandemic gave hackers a golden opportunity to exploit the loopholes left unaddressed by companies adopting the remote work model. 

With incidents of phishing and ransomware attacks going through the roof, security awareness training is more relevant now than ever before. By mitigating the human errors and mistakes that often factor into many data loss or corruption incidents, you can dramatically minimise costs and consequences that could impact your business’ success.  

Related Article – Your Biggest Cyber Security Risk: Your Employees 

During the pandemic in 2020, 56% of businesses recovered their data using backups after a ransomware attack. Many of these businesses could have avoided the damages inflicted by these attacks if they effectively trained their employees to spot common warning signs of cyberthreats such as ransomware scams. 

Deploying a data protection strategy that incorporates both backups and security awareness training will help your business counter data loss effectively. 

Incorporate Your Employees Into Your Backup Strategy 

With cyber threats becoming increasingly prevalent and malicious, you must take any measure possible to protect your business and its mission-critical data.  

Building and implementing the right strategy for backups and security awareness training can be easier with the right partner. We can help you implement a comprehensive data protection plan that incorporates employee training and data backup solutions that will enable your business to avoid data loss events that can jeopardise your business’ future. Talk to us now and find true peace of mind with the right solution.

 

Data Sources: 

  • Security Magazine Verizon Data Breach Digest 
  • 2020 Cyberthreat Defense Report 

GRC Fines, Penalties and Violations! Oh My! 

Compliance and Cyber Security Standards and Frameworks

Reading Time: 3 Minutes
Global data protection regulations (new or updated) are being enforced aggressively, resulting in a tsunami of hefty fines and penalties to violators. The majority of these violations result from the failure to conduct regular risk assessments, which form an integral part of the ‘appropriate measures’ a business must take to ensure information security. 

For example, in 2017, credit agency Equifax lost personal and financial information of nearly 150 million consumers due to an unpatched Apache Struts framework in one of its databases. Regulatory authorities found Equifax guilty of “failing to take reasonable steps to secure its network”. The credit agency was mandated to pay a hefty fine, valued at potentially $700 million, which it is still paying to the Federal Trade Commission (FTC), Consumer Financial Protection Bureau (CFPB) and all 50 U.S. states. 

Read: Understanding and Calculating Organisational Risk

If Equifax had implemented an ongoing risk assessment strategy, it could have avoided the subsequent financial fallout and reputational damage. A single risk assessment would have helped Equifax uncover and fix the patch-related vulnerability promptly. 

You must understand that regulatory agencies don’t expect you to cast a magic spell that can protect your network from threats indefinitely. They simply strive to hold you accountable for the steps you need to take to ensure consistent data protection and privacy. For example, the most enforced HIPAA audit requirement out of a total of 180, which has been cited in more than 50% of recent penalties, is an accurate and thorough risk analysis. 

Recommended: Is your Business ready for HIPAA and PCI-DSS?

Disasters Businesses Could Have Avoided

Here are a few instances where businesses were pulled up by the regulatory bodies and slapped with hefty fines for the lack of a risk assessment and management strategy. This will help you understand how risk assessment can go a long way towards building a resilient cybersecurity defence and demonstrating full compliance. 

Marriott International Shelling Out Over €20 Million 

Marriott International, Inc. was fined a whopping €20,450,000 in fines for failing to implement sufficient technical and organisational measures to ensure information security. The basis of the penalty was Article 32 of the General Data Protection Regulation (GDPR), which clearly states the need for “a process that regularly tests, assesses and evaluates the effectiveness of technical and organisational measures to ensure the security of the processing.”

Capital One Fined $80 Million

In 2019, Capital One suffered a breach affecting 100 million people in the U.S. and 6 million in Canada. By exploiting a configuration vulnerability in the company’s web application firewall, an “outside individual” obtained personal information of Capital One’s credit card customers as well as people who had applied for credit cards. The Office of the Comptroller of the Currency fined Capital One $80 million for its “failure to establish effective risk assessment processes” when migrating operations to a public cloud environment.

Premera Blue Cross Coughing Up $6.85 Million

Washington-based health insurance company, Premera Blue Cross, was fined $6.85 million for HIPAA violations for a breach that affected over 10.4 million people. While handing Premera the second-largest HIPAA fine on record, the Office for Civil Rights (OCR) cited “system non-compliance” with HIPAA requirements. The OCR concluded that Premera had failed to conduct a risk analysis, implement risk management, or put audit controls in place.

Related ArticleFirst Step to Compliance – a thorough and accurate risk assessment

It goes without saying that if all three companies paid heed to expert compliance advice and implemented a meticulous risk assessment and management strategy, their balance sheets would have looked significantly different.

Deploy Risk Assessment and Avoid a Financial Setback

Several data regulations have defined the importance of risk assessment in ensuring data privacy and protection. For example, the Security Rule of the Health Insurance Portability and Accountability Act (HIPAA) clearly mandates covered entities and their business associates to conduct a risk assessment.

Learn more with the article Managing your Technology Risk

By merely implementing this cybersecurity best practice – continuous risk assessment – you will be able to significantly reduce the likelihood of a security breach and a compliance audit; both of which can lead to a tremendous loss of revenue. Think about all the financial implications you could avoid. That should convince you.

Seek Expert Help for Implementation

Implementing a comprehensive risk assessment and information security strategy as part of routine operational procedures is no easy feat. You need specialised tools and experienced and dedicated support to ensure you get thorough and accurate risk assessments regularly to achieve and maintain compliance obligations.

Compliance is complicated and stressful, which is why partnering with an IT and Data Security specialist can help you simplify the risk assessment process and take the chaos and confusion out of the equation. Talk to us today to learn about our specialist approach to compliance and how we can help any business – including yours – be compliant without effort.

Backup Strategies to Prevent Data Loss 

Backup Strategy to prevent data loss
Photo by Alvaro Reyes on Unsplash

Reading Time: 5 Minutes
We live in a digital age where data has become one of the most valuable commodities in the world. Businesses collect vast volumes of data every day from their customers, which plays a critical role in their day-to-day operations. If business organisations happen to lose their data under any circumstance, the consequences can be catastrophic.

This is the harsh reality of today’s digital business landscape. Businesses can experience data loss in many ways, ranging from natural disasters to cyberattacks. Should you suffer an unexpected data loss, your competitive advantage lies in how quickly you can get your operations up and running without experiencing significant downtime.

Related Article: Securing Company Data with a Remote Workforce

In this blog, we’ll take a brief look at the various dangers to business data and how you can prevent them with the proper backup strategy. We’ll also look at the different ways of backing up data and the advantages of using a robust business continuity and disaster recovery (BCDR) solution. 

Why Do You Need Data Backup? 

Before we look at the different ways of backing up data, you need to know why your business requires data backup. Businesses commonly encounter the following data security threats to data in their everyday operations.

Cyberattacks: As technology evolves, cyberattacks continue to evolve as well. The growing threat of ransomware is a testament to that. According to the latest Verizon report, 27% of malware incidents can be attributed to ransomware attacks. While antimalware and antivirus programs can certainly offer protection, businesses need to think about what might happen in case of an unavoidable security breach and eventual data loss when formulating a data security strategy.

Natural disasters: Natural disasters such as floods, fire, earthquakes and the like pose a meaningful threat to the traditional form of data storage and security. Do you have what it takes to bounce back if these disasters catch you off guard and wipe out your company’s data?

Hardware issues: Mishaps originating from hardware issues play a major role in business data loss. With traditional data storage methods, data is stored in a physical location on hard drives and backup appliances. Any hardware issues arising in these devices can pose a severe threat to your valuable data. 

Human errors: Human errors still play a central role in data loss. According to Verizon, as much as 30% of data loss incidents are caused by internal actors. This could be attributed to anything from poor password practices to falling for phishing scams. Human error can be avoided with employee training.

All these factors indicate that data loss can happen to any organisation irrespective of their size or the security precautions taken. You need a solid data backup solution to make sure that your lost data is not entirely unrecoverable. 

How to Back Up Your data

As you understand the importance of data backup, certain questions may inevitably spring to mind – What is the best way to store data? How many copies should you take?

Regarding the best way of storing data, both cloud backup and on-site backup appliances need to be considered. This is because both have their own advantages and limitations. On-storage devices are faster, giving organisations complete control over their data. However, they are prone to physical mishaps and hardware issues. On the other hand, Cloud-based backup is not vulnerable to natural disasters but requires a lot of bandwidth to backup large files.

Navigating Backups and Training during Unprecedented Times

The ideal backup strategy combines both these approaches, with multiple copies stored in different locations. When backing up your data, you need to consider the 3-2-1 rule, which simultaneously answers your questions on the right approach to data backup and the number of copies that need to be made. 

As per this rule, it is prudent to have at least three copies of data – one production copy and two backup copies on two different media (internal hard drive and removable storage media) along with one off-site copy (cloud) for disaster recovery. Newer variations of this rule suggest having at least two copies (3-2-2 rule) on the cloud depending on the importance of your data. Ultimately, the more copies you make, the higher your chances of recovery after a loss. 

Advantages of BCDR Over File-Only Backups

Backups
Photo by benjamin lehman on Unsplash

In crude terms, data backup is simply the process of making copies of your files and storing them. However, the primary purpose of a backup is to get your business up and running in no time following an unexpected disaster. Hence, an effective backup strategy is symbiotic with business continuity as well. Business continuity refers to the ability of your organisation to get back in working order as quickly as possible following an unexpected data loss.

 Recommended Read: Why an Impact Analysis is Essential for Business Continuity

When you think about business continuity, you must think in terms of Recovery Time Objective (RTO) and Recovery Point Objective (RPO). RTO refers to the maximum time an application can be down without affecting the business. RPO refers to the maximum amount of data that can be lost without harming the company. 

A good Business Continuity & Disaster Recovery solution will provide you with the following benefits: 

  • Significant reduction in RTO and RPO 
  • Ability to predict business restoration following an unexpected disaster 
  • Reduction in downtime and associated revenue losses 
  • Lower interruption to critical business processes 
  • Avoid compromise to business reputation 
  • Ability to customise disaster recovery as per your needs

Best Practices for Data Backup

While incorporating an effective backup strategy, you need to implement the following best practices to limit data loss:

  • Increase frequency: Digitally-run businesses are required to back up their data multiple times a day. Doing it once a day, at the end of business hours, is no longer sufficient, especially with the number of threats gunning for your data. 
  • Use cloud backup: The Cloud has become an indispensable component of data backup in this digital age. Cloud backup comes with a multitude of benefits such as easy recovery, easy scalability, better cost efficiency and more. 
  • Use the power of automation: Automation has become a game-changer regarding various IT tasks, and backup is no exception. When you automate your disaster recovery process, you can bounce back from severe disasters and continue business operations without suffering too much downtime. 
  • Determine your retention span: Retaining all data backup versions forever is not feasible for most small businesses. Due to this, you need to determine the duration for which you will retain your data. This requirement will vary based on your industry, needs and compliance regulations. You need to come up with a solution that ticks all parameters. 

To Sum Up

Backup should be a part of every organisation’s business strategy, irrespective of its size, location or industry. Threats to business data are widespread and are happening at an alarming rate. In this scenario, a solid data backup plan could be the preventative measure that saves your business when disaster strikes. 

Talk to us today so we can help you zero in on an effective backup strategy that’s tailor-made for you. 

Thank you for Reading! Follow us on Social Media for more exclusive content.
 

How A ‘Compliance First’ Mindset Limits Liabilities for SMBs

Compliance First limit liability SMEs
Photo by Benjamin Child on Unsplash

Reading Time: 3 Minutes
By adopting a Compliance First strategy, when choosing solutions and vendors, you will identify those that do not comply with your requirements, eliminate them from your selection process, and then select from the rest. It also means evaluating your current solutions and vendors and replacing those that cannot support your compliance requirements. 

In simple terms, compliance is anything someone else makes you do. This means laws, regulations, contracts, and even the terms of a cyber insurance policy. Failure to act responsibly can have devastating results — hefty penalties, lawsuits, investigations, and failing to have insurance cover big claims that can exceed $1 million.

Related Article: How to Ensure Compliance when Working Remotely?

If you think compliance is unimportant for you or only applies to enterprises, think again. No business is immune to compliance regulations, which is, in fact, a good thing. By knowing your business must be compliant, you can avoid fines and penalties, improve operational safety, improve public relations, prevent attrition and above all, ensure that liability insurance claims pay out in the event of an incident. Compliance has a measurable Return on Investment (ROI). 

By making the ‘Compliance First’ approach your first step, you can meet minimum regulatory requirements to protect against fines while also staying in compliance with liability insurance requirements. After this, you can improve your business’ compliance posture further by adopting additional measures. 

A Single Compliance Mistake Can Invalidate Liability Insurance Claims 

Many small and medium-sized businesses prefer to use free or the most affordable solutions possible. If you’re one of them, keep in mind that this is not a safe practice. Without solutions that meet security, encryption and reporting standards outlined by regulations that you must abide by (HIPAA, CMMC, PCI-DSS and GDPR), you could face three fundamental problems:   

  1. Suffering a preventable catastrophic breach 
  2. Risk of non-compliance and subsequent fines  
  3. Risk of violating and nullifying liability insurance policies, leaving you financially exposed 

Using cheap or low-cost non-compliant solutions may be tempting, but it can cause your business to assume all the reputational and financial risk and cost in the event a compliance violation comes to light. Remember that you do not have to use multiple non-compliant solutions to invalidate your insurance; even using just a single non-compliant solution can cause your claim to be denied.

All your insurance claims that cover compliance regulation infractions specific to HIPAA, CMMC, GDPR or PCI-DSS can be invalidated by a single act of negligence. If the vague regulatory guidelines overwhelm you, you are not alone. But it is worth taking the time to learn more about your requirements, so your organization can become adequately protected. 

The Cost of Non-Compliance 

Many businesses think of compliance spending as an unrewarded cost of business rather than considering it as an investment in protecting assets. This leads to less spending on compliant software or even under-staffing of compliance teams. If your business eventually ends up being non-compliant, it can have devastating reputational and financial consequences.  

HIPAA penalties often exceed $ 1 million. Defence contractors can lose their primary source of revenue by not complying with cybersecurity requirements. 

Recommended read: Is your business ready for HIPAA and PCI-DSS?

If you accept credit cards, PCI-DSS violations can draw penalties ranging from $5,000 to $100,000 per month by payment providers (VISA, Discover and others). Penalties depend on the volume of clients and transactions. 

GDPR violations lead to hefty violation fines worth 2% to 4% or more of company revenue based on the severity of the violation.  

Even the information you have about your workforce is protected by state and federal laws. 

Begin With a ‘Compliance First’ Approach for Product Selection 

A ‘compliance first’ approach covers a broad range of critical considerations to keep a business compliant. However, if you do not know where to begin, start with a business tool audit. The internal tools to audit for compliance are:  

  • Voice services like VoIP 
  • Cloud storage and file hosting 
  • Document sharing and transfer services 
  • Productivity tools 
  • Communication tools 
  • Any digital tool, product or service used for business 

Many regulations require data, including voice messages and emails, to be encrypted in transit and when stored. Find out if your version is compliant by reviewing each solution’s product sheet or release notes. If it’s still unclear whether or not the solution provides the type of compliance you’re looking for, contact the technology vendor directly to get an independent audit report of their compliance with the requirements you must meet. 

The ‘Compliance first’ approach can help develop a compliance-oriented culture within your business, thus preventing your business from falling into the quicksand of non-compliance. 

We understand that implementing the ‘compliance first’ approach can be a bit challenging. Don’t worry. We can help you seamlessly integrate this approach into your business operations to meet legal and insurance obligations. Get in touch with us today to get started. 

 

Are Your Business Partners and Vendors Potential Security Weak Links?

People working in office. Business partners potential weak security links
Photo by Alex Kotliarskyi on Unsplash

Reading Time: 3 Minutes

A modern supply chain consists of people, systems and technologies that enable the delivery of goods and services to end-users. However, this dependency on third-party business partners opens doors to many security risks.

A lot can go wrong throughout the supply chain operation, which is why you should pay close attention to risks associated with third-party partners. Since many of them have varying degrees of access to your organisation’s systems and sensitive data, they could potentially be the weak link that jeopardises your entire security strategy.

Related Article: Recommended Best Practices for a Secure Supply Chain 

According to a survey conducted by Opinion Matters for BlueVoyant in June 2020, a whopping 80% of organisations have suffered a third-party related breach.

Supply Chain Challenges and Security Risks

It is common for modern-day companies to outsource core functions to improve efficiency and save costs. Working with multiple vendors that address your unique needs is vital to thrive in a competitive business landscape. However, managing different types of vendors can not only be daunting but can also expose your organisation to several threats. That’s why understanding the challenges and risks that come with third-party vendors or suppliers is critical for the safety and security of your business.

Listed below are some of the challenges and risks that organisations constantly face in a supply chain ecosystem.

Inadequate Visibility and Lack of Direct Control

According to the survey commissioned by BlueVoyant, 77% of respondents said they had limited visibility into the functioning of their third-party vendors. Multiple vendors and lack of resources limit organisations from continuously monitoring the entire vendor ecosystem and maintaining control of the supply chain. Without adequate visibility and control into third-party networks, it can be extremely challenging to identify potential risks or respond to threats appropriately.

Lack of Data Integrity

Today’s organisations are data-driven, and as such, data integrity is crucial for informed decision making, improving operational efficiency and gaining a competitive advantage. Since a supply chain involves a mix of multiple third parties who have access to sensitive information, such as customer details, financial data, trade secrets and more, ensuring the integrity of the sheer volume of data on hand can be a hurdle.

Dig deeper with the article: How to Effectively Manage Supply Chain Risks

One mistake from a third-party business partner could lead to a potential security breach, which could have a devastating impact on both your business and the entire supply chain ecosystem. Having a comprehensive third-party risk management strategy, backed by a robust backup and recovery solution, is vital to better manage and secure your organisation’s data when unexpected disaster strikes.

Poor Security Practices

Over 75% of organisations have been victims of a data breach due to security vulnerabilities in their partners’ networks. While your IT security posture may be solid, bad actors can easily infiltrate your third party’s weak network. It is hard to control the security practices of supply chain partners, which makes it even more difficult to identify potential threats that might be lurking in their unpatched servers or systems. Since a supply chain is deeply interconnected, a weak link can sabotage the entire network.  

Working with a diverse portfolio of supply chain vendors also translates into increasing third-party access to your organisation’s IT infrastructure, applications and data. Therefore, defining roles and controlling user access to sensitive data is critical to mitigating security and compliance risks. Learn more about Access Control.

The Human Factor

While companies rely heavily on technology to improve efficiency and service delivery, human error is one of the leading causes of data breaches. From browsing infected websites to failing to maintain password hygiene, an untrained and unaware workforce can leave security gaps throughout the supply chain and within your own organisation as well. Although these actions may be unintentional, they open doors for cybercriminals who are constantly looking for opportunities to infiltrate your company’s network.

Read: The Biggest Risk for your Organisation – Your Employees

Protect Your Business and Data

When it comes to protecting your business and data, you must not ignore the threats posed by your supply chain. Not only should you secure your IT infrastructure and data, but you should also ensure your third-party systems, data and applications are appropriately backed up and protected.

Contact us today to find out how you can securely protect your company’s assets against growing cyberthreats. Leverage the power of technology and enjoy your well-earned peace of mind.

 

 

 

Article curated and used by permission. 

Data Sources: 

  • Blue Voyant Global Insights: Supply Chain Cyber Risk Report 

Protecting Your Business-Critical Data From Human Threat 

Protecting Business Data from Human Threat
Photo by Austin Distel on Unsplash

Reading Time: 4 Minutes
The technology-driven era we live in has made information sharing and data access very efficient. Still, it has also brought forth a new set of challenges. One of the notable challenges businesses face in this day and age is the rising threat to data security. However, the threat to business data does not always come from external actors. According to a study by CybSafe, human error, whether intentional or unintentional, was the main reason behind 90% of data breaches in 2019. To make matters worse, insider-related cybersecurity incidents have increased 47% in the last two years. 

Recommended Read: How can SMEs Apply Zero Trust Cyber Security Practices?

Therefore, it’s safe to say that the biggest threat to business-critical data comes from human elements inside an organisation. Since data is the lifeline of most businesses in this digital environment, any compromise can jeopardise operations and bring businesses to a complete halt. To avoid this, companies need to be aware of the threats posed by insiders and incorporate the necessary measures to prevent them.

In this blog, we’ll discuss the risks the human factor poses to cybersecurity and how you can overcome them.

Actors and Motivations Behind Insider Threats

There are two main types of actors behind all insider threat incidents: negligent insiders who unwittingly act as pawns to external threats and malicious insiders who become turncloaks for financial gain or revenge. 

Negligent Insiders: These are your regular employees who do their jobs but occasionally fall victim to a scam orchestrated by a cybercriminal. These actors do not have any bad intentions against your company. However, they are also the most dangerous since they account for about 62% of all insider threat incidents.

Negligent insiders contribute to data security breaches by: 

  • Clicking on phishing links sent by untrusted sources 
  • Downloading attachments sent from suspicious sources 
  • Browsing malicious or illegitimate websites using work computers 
  • Using weak passwords for their devices 
  • Sending misdirected emails to unintended recipients 

Train your staff with these tips on How to Avoid Phishing and Creating Stronger Passwords.

Malicious Insiders: These are disgruntled employees who wreak havoc on your data security for financial gain or revenge. While financial gain is the top reason behind most malicious insider actions, it isn’t always the case. Despite being rare in occurrence, these threats often have much more severe consequences since the actors have full access and credentials to compromise your security. For instance, a Chinese national allegedly stole trade secrets from a US-based petroleum firm, with the value of these secrets estimated to be about $1 billion. Losses of this magnitude are usually quite severe for any organisation, irrespective of its size.

Best Ways to Prevent Insider Threats and Protect Data

When a business falls victim to a data security breach, it faces more than just financial repercussions. The organisation’s reputation, competitive advantage, intellectual property, etc., often come under fire following an insider threat incident. Additionally, some compliance regulations impose hefty fines on businesses for allowing such a breach to occur. It is estimated that 60% of companies go out of business within six months of a major data breach incident. That’s why you must take a proactive approach when it comes to combating insider threats. 

Detecting Insider Threats 

Certain factors can help you identify insider threats before you experience a full-blown breach: 

  • Human behaviour: A potential insider with malicious intent against an organisation will exhibit abnormal behaviour. For instance, an employee trying to access privileged information and frequently staying late after office hours could be suspicious behaviour to watch out for. 
  • Digital signs: Before a major breach due to insider threats, you may witness some abnormal digital signs like a substantial amount of data downloaded, high bandwidth consumption, traffic from unknown sources, unauthorised use of personal storage devices, etc. 

Defence Strategies Against Insider Threats

There are a few strategies that you can implement throughout your organisation to minimise the possibility of insider threats.

  • Insider threat defence plan: Your strategies against insider threats start by creating a defence plan specific to insider threats. You need to define what constitutes abnormal behaviour in your employees and set up alerts for digital signs in your IT environment. Most importantly, you need to limit access to critical data and provide unique credentials for those with access to your data. Learn more about Access Control.
  • Data backup: Backups are essential to protect your data in case of an unavoidable loss. With regular backups for your critical data, your business can get back up and running after a security breach involving an insider. Before you back up your data, you need to classify what data is worth protecting and create a strategy accordingly. Learn more about Backup and Disaster Recovery.
  • Employee training: When properly trained, employees could be your first line of defence against various cyber threats. You need to create an organisational-level best practices policy that outlines clear instructions on BYOD (Bring Your Own Device) policies, passwords, remote working, etc. Learn more about Employee Training.

Reach Out to Us to Protect Your Critical Data

The average cost of insider threats increased by 31% between 2017 and 2019 and is estimated to be around $11.45 million. With this cost expected to rise over the years, having a trusted partner by your side to protect your data from all kinds of human threats can go a long way towards securing your business.

With our years of expertise in data security and storage, we can help you incorporate innovative strategies to protect your data. Give us a call today, and one of our specialists will be happy to discuss your needs and propose solutions tailored to your business. 

Article curated and used by permission.  

Data Sources:  

  • https://www.venafi.com/blog/7-data-breaches-caused-human-error-did-encryption-play-role 
  • Ponemon 2020 Cost of Insider Threats Global Report 
  • https://www.tessian.com/blog/insider-threat-statistics/#:~:text=According%20to%20one%20study%3A,for%2014%25%20of%20all%20incidents. 
  • https://www.justice.gov/opa/pr/chinese-national-charged-committing-theft-trade-secrets 
  • https://cybersecurityventures.com/60-percent-of-small-companies-close-within-6-months-of-being-hacked/

 

 

 

Securing Company Data With a Remote Workforce  

Securing Data with Remote Workforce
Photo by Sigmund on Unsplash

Reading Time: 4 Minutes
In 2018, BlueFace predicted that remote work would start competing with office work by 2025. Little did they know that the pandemic would accelerate this process tenfold. Businesses were thrown into the deep end when they had to suddenly switch to a fully remote workforce. While some adapted to the ‘new normal’ by taking immediate measures to deal with the shift, the vast majority were unprepared to manage such an enormous transformation.

Amid this chaos, a host of challenges emerged, with the biggest being the unprecedented surge in cyberattacks. Cybercriminals caught businesses in a state of panic and exploited their lack of preparation to wreak havoc worldwide. A survey by Barracuda found that 46% of global companies encountered at least one cybersecurity scare since moving to a remote working model during the lockdown.

Recommended Article: 8 Steps to Secure Remote Working in the Pandemic

With today’s decentralised work environments here to stay, it is imperative that you act proactively towards securing your business’ data from unauthorised access, accidental loss and wilful destruction.

Due to the threats emerging as a result of remote work, businesses need to avail enterprise-class business continuity and disaster recovery solutions. Here’s why.

5 Reasons Why Your Remote Workforce Is a Prime Target for Cybercriminals

Remote work is making businesses uniquely vulnerable to cyberattacks. However, with the additional strain of the pandemic, the stakes have been raised significantly. Here are five reasons that make your remote workforce a darling of cybercriminals. 

  • Unsafe Home Networks: It goes without saying that remote workers logging in from their home networks pose a greater threat than on-site workers using their company’s secure network. Despite being aware of this quite apparent vulnerability, most businesses still tend to invest heavily in on-site security while cutting corners when it comes to securing remote work. 
  • Extended Vulnerabilities: When a significant chunk of work occurs over the internet, it opens up a Pandora’s box of threats targeting web services and applications. The greater the number of hazards, the higher the possibility of at least one threat penetrating the limited barriers securing remote work.
  • Challenges With Remediation: Infected or vulnerable machines need immediate technician attention, which is easy to accomplish in a conventional office environment. However, carrying out remediation efforts on remote endpoints presents a significant challenge, both in terms of access and structure, which are often not ideal. This makes it more likely for security to be compromised.
  • Limited Security: Most cybersecurity solutions don’t do such a good job securing remote endpoints as they do with in-house assets. This leaves the safety of remote devices, especially personal/BYOD devices, in the lurch.
  • Isolated Devices: Devices that have been updated with standard security settings that apply to all IT assets of a business are less vulnerable to security lapses. However, personal devices of employees used for company work do not hold the same security safeguards, making them an easy target.

Now that we have established why your remote workforce needs adequate protection let’s find out what measures you can take to achieve it.

Securing Your Remote Workforce Promptly 

The longer you take to secure your remote workforce, the more you jeopardise the safety of your business’ mission-critical data.

Here’s a list of measures you must undertake immediately to secure your company data:

Cloud-Based Backup and Recovery: While managing an increasingly remote workforce, you must turn to a robust and reliable cloud backup platform that allows you to efficiently back up endpoint data and recover it whenever needed. 

Business Continuity and Disaster Recovery (BCDR): Formulate a comprehensive BCDR strategy immediately to ensure no incident grinds your business to a halt for a long time. Please remember to recalculate and revise your recovery objectives, given how remote work is now normalized.

Regular Recovery Testing: Implement a strategy to regularly test data recovery to ensure your data recovery solution does not give way when you need it the most. 

Customer Scenarios Applied Technology
Photo by Science in HD on Unsplash

 

Safeguarding SaaS Data: Most businesses do not implement a strategy for securing SaaS data since they assume SaaS platforms secure it anyway. Unfortunately, that isn’t true. Your SaaS data is your responsibility, especially when most of your workforce will rely on SaaS applications while working remotely. While building a policy for it, you must also consider optimizing the storage for each user to ensure no data gets lost in transit. 

Awareness Training: 51% of businesses that responded to the Barracuda survey admitted that their workforce wasn’t proficient enough or adequately trained on cybersecurity risks associated with remote work. You must assess if this is also the case at your business and immediately develop a strategy to rectify it. The more aware your employees are, the more diligently they will follow backup policies. For more info, read Navigating Backups and Training in Unprecedent Times.

Ongoing Risk Management: Consider it a top priority to assess the potential risks your network and backed up data is exposed to. Without this, any corrective action would seem futile. This will help you address your backup needs as soon as they emerge. 

We have several resources concerning Risk Management. If you’re looking for more info on this topic, we recommend starting with the article Managing your Technology Risk.

Undertaking these measures will not only tighten the security of your data but also help your business demonstrate compliance with data protection regulations that apply to your industry.

Tackling remote work-related threats and securing your business data isn’t as taxing as it seems when you have proper assistance and support. Our team will be happy to help. Contact us today to learn more directly from one of our specialists, who will look to understand your challenges and work on a plan tailored to your business. Book your no-commitment, 30-minute Discovery Call to find out what good looks like.

Thanks for reading. Feel free to visit our blog and social media for more exclusive content.

  

Data Sources: 

  • https://www.blueface.com/blog/infographic-2018-bct-report-key-takeaways/ 

How can SMEs Apply Zero Trust Cyber Security Practices

Zero Trust Cyber Security Practices
Photo by FLY:D on Unsplash

Reading Time: 3 Minutes

Adopt Zero Trust Security for Your SMB

With the cyber threat landscape getting more complicated with every passing minute, cyber security deserves more attention than ever. Fully trusting applications, interfaces, networks, devices, traffic and users without authentication is no longer an option. Misjudging and misplacing your trust in a malicious entity can lead to severe breaches that can damage your business. Zero Trust Security practices, however, can go a long way towards helping small and medium-sized businesses minimize cyber security risks and prevent data breaches.

Zero Trust was introduced in 2010 by John Kindervag, a former Forrester analyst. The concept has since gained wide acclaim and approval as a trusted framework for cybersecurity. The Zero Trust approach trusts nothing within or outside its perimeter and insists on verifying everything attempting to connect to the company systems before granting access. In simple terms, the National Institute of Standards and Technology (NIST) refers to it as a “never trust, always verify” approach. 

Security Frameworks: NIST or ISO27001? Which one to choose?

Implementing Zero Trust Security within your business can help guard against data breaches, downtime, productivity loss, customer churn and reputation damage. Over 70% of companies planned for the deployment of Zero Trust in 2020, and it is even more critical for SMEs in an era where workforces and networks are becoming heavily distributed.

Three Misconceptions and Facts About Zero Trust Security

First Misconception: Zero Trust Security is only for enterprises. 

The Zero Trust cybersecurity framework is a proven counterthreat strategy. While it’s true that enterprises prioritise the protection of their data and networks by deploying the best solutions and approaches, SMEs must also protect sensitive data and networks.

Smaller companies might not have access to the fanciest solutions but can still take adequate measures to minimize internal and external vulnerabilities. Thus, Zero Trust Security isn’t just for enterprises. It is equally significant for SMEs as well.

Second Misconception: Zero Trust Security is too complex. 

By applying Zero Trust concepts at a scale that makes sense for your business, you will realize it isn’t as complex as you thought. Once you have the right policies, training and tools in place, the process becomes routine.

Third Misconception: The cost of implementing Zero Trust is too high.

Zero Trust adoption is operationally and economically feasible if you focus on your most critical applications and data sets first. To learn about the main aspects you should improve, we recommend performing a Gap Analysis.

Still Not Convinced?

Let’s look at a few statistics that should convince you of the seriousness of today’s cyber threat landscape as well as the need for a Zero Trust approach:

  • Human error causes close to 25% of data breaches – Unfortunately, you can’t completely mistrust an external network, nor can you fully trust even a single user within your network. 
  • Experts predict that ransomware attacks will occur every 11 seconds in 2021 – This gives you no time to be complacent. 
  • Over 40% of employees are expected to work from home post-pandemic – When this happens, many devices, users and resources will interact entirely outside the corporate perimeter. This increases the risk of an incident occurring. 
  • Phishing attacks have increased by over 60% since the pandemic started – To counter such a scenario, cybersecurity policies must be dynamic and adapt to address additional concerns. 

If you’re not equipped with a solid defence against cyberthreats, you may regret it later when a breach happens. Chances are, your current approach to cyber security comes short of stopping cybercriminals from accessing your network. The Zero Trust approach can change all that.

Adopting Zero Trust Security within your business does not mean throwing away your existing security tools and technologies. In fact, according to NIST, Zero Trust Security must incorporate existing security tools and technologies more systematically.

Build an effective Zero Trust model that encompasses governance policies — like giving users only the access needed to complete their tasks — and technologies such as:

  1. Multifactor authentication
  2. Identity and access management
  3. Risk management
  4. Analytics 
  5. Encryption
  6. Orchestration 
  7. Scoring 
  8. File-system permissions

Taking your business down the path of Zero Trust may not be easy, but it’s undoubtedly achievable and well worth it. Don’t worry about where and how to begin. With the right MSP partner by your side, your journey becomes easier and more likely to succeed. Contact us to get started.

Our specialists will be happy to provide advice and answer any doubts about technology and security you might have. Then we can outline priorities and develop a plan to bring you where you want to be.

Thanks for reading. Feel free to visit our blog and social media for more exclusive content.

Source:

  1. Solutionsreview.com 
  2. IBM 2020 Cost of Data Breach Report 
  3. JD SUPRA Knowledge Center 
  4. Gartner Report 
  5. Security Magazine Verizon Data Breach Digest

Compliance Standards: Is your business ready for HIPAA and PCI-DSS?

Photo by Markus Spiske on Unsplash

Reading Time: 3 Minutes
One of the many challenges you probably face as a business owner is dealing with the vague requirements present in HIPAA and PCI-DSS legislation. Due to the unclear regulatory messaging, “assuming” rather than “knowing” can land your organization in hot water with regulators.

Recommended Article – Governance: Understanding Guidelines, frameworks and standards

The Health and Human Services (HSS) Office for Civil Rights receives over 1,000 complaints and notifications of HIPAA violations every year. When it comes to PCI-DSS, close to 70% of businesses are non-compliant. While you might assume it’s okay if your business does not comply with HIPAA or PCI-DSS since many other companies are non-compliant as well, we can assure you it’s not. Keep in mind that being non-compliant puts you and your business at risk of being audited and fined.

Risks of Failing to Meet Minimum Compliance Requirements

Never take compliance lightly because non-compliance can lead to:

  1. Hefty penalties: HIPAA violations can draw fines ranging from $100 to $50,000 per violation, with a maximum fine of $1.5 million per calendar year of non-compliance. PCI-DSS can squeeze your budget too, with penalties ranging from $5,000 to $100,000 per month.
  2. Uninvited audits: Non-compliance can lead to unpleasant inspections and audits that can result in fines. 
  3. Denial of liability insurance claims: You must be extra careful while selecting solutions for your business. Using a single non-compliant solution can cause your insurance provider to deny a liability insurance claim. 
  4. Loss of business reputation: It takes years to build a reputation and just minutes to ruin it. Don’t let your business fall into the pit of non-compliance – it’s all under your control. 
  5. Imprisonment or even forced closure: In cases of severe non-compliance, regulatory bodies can sanction the arrest of top executives or even close the business.

First Step to Compliance: A Thorough and Accurate Risk Assessment.  

Are Your Existing Business Tools Compliant? 

If you are unsure where to start, assessing your business tools — cloud, VoIP, email service, electronic file-sharing service, applications, etc. — is an excellent place to start.

Protecting your SAAS Data is your Responsibility – learn more with our article on the topic

If your main business activities are being performed within such tools, their standards will directly interfere with your compliance level. Here are a few ways to check your existing business tools for compliance: 

HIPAA

  • Does the tool use AES 256-bit encryption? It doesn’t matter if sensitive data, like electronic Protected Health Information (ePHI), is at rest or in transit. Encryption is required by HIPAA. (how does encryption work?)
  • A tool with proper access controls ensures those who genuinely need sensitive data can access it. What’s your tool’s access control policy?
  • Is there automatic log-off in place if no user activity is detected over a specified timeframe? HIPAA requires this in order to safeguard high-risk data. 

PCI-DSS

  • Were the default passwords during the initial setup changed after installation? PCI-DSS specifies the importance of changing passwords to keep threats at bay
  • Are inactive user accounts removed or frozen after the warning period? Inactive accounts are easy targets for attacks. 
  • Does your tool store, retrieve or transmit cardholder information? If so, it must have the newly mandated version of the Transport Layer Security (TLS) protocol. 

These lists are not comprehensive and only scratch the surface. Also, none of the points mentioned above ensures the tool is HIPAA or PCI-DSS compliant. Just consider it a starting point.

If you’re confused about what your next steps should be, don’t worry. We’re here to help.

Use our expertise in compliance matters to conduct a comprehensive assessment of your business’s current state of compliance. We call this the Gap Analysis, and with it, you’ll have a clear understanding of where you are and what is missing to reach your goals.

This analysis also covers the cybersecurity and technology perspective, both crucial for business success in the long run. Talk to us now to learn more.

 

Sources: 

  1. National Library of Medicine 
  2. Help Net Security Magazine 
  3. Security Boulevard 

 

How Backup and Disaster Recovery Protects SMEs 

Photo by DocuSign on Unsplash

Reading Time: 3 Minutes
Many SMBs operate with a sense of unrealistic optimism when it comes to data loss and disaster recovery. However, the reality can be quite different and negatively affect your business if you’re not vigilant. As the rate of digitalization increases, so does the risk of data loss. Can your business afford a data-loss incident?

It doesn’t matter if data loss happens because of human error, cyberattack or natural disaster. It can have far-reaching consequences such as:

  1. Severe downtime: For SMBs, per-hour downtime costs vary from $10,000 to $50,000.1 
  2. Damage to reputation: One-third of customers will end their association with a business following a severe data loss.
  3. Regulatory penalties: Failure to protect data can draw penalties worth 2% to 4% or more of company turnover.
  4. Permanent closure: Some businesses are unable to recover from an incident and close permanently.

Navigating backups and training during unprecedent times.

Prioritising backup and disaster recovery for your business is very important. A comprehensive backup and disaster recovery solution provides secure, uninterrupted backup and quick data recovery — with a cloud-based architecture that ensures the company runs seamlessly in the event of a disaster. 

Key Terms Used in Backup and Disaster Recovery 

The following terms will give you an idea about the type of actions and processes you should aim to implement within your business:

Minimum Business Continuity Objective (MBCO) 

MBCO signifies the minimum level of output needed after severe disruption to achieve business objectives. It is the minimum acceptable level of products or services that must be provided during a disaster. Articulated correctly, the MBCO gives guidance on what should be recovered as a priority and how extensive the recovery should be.

Business Continuity – why it matters during Covid 19

Maximum Tolerable Period of Disruption (MTPD)

MTPD is the duration after which the impact on a business caused by disrupting critical services and products becomes intolerably severe. This has to be well discussed and agreed upon with your service provider to ensure your expectations will be met when a disaster strikes.

Visit our Downtime Calculator on our Resources Page to estimate how much each hour of downtime would cost you. 

Recovery Time Objective (RTO)

RTO is the time it takes before employees can start working after a disruptive event. It’s usually measured in minutes and derives directly from the MTPD. 

Recovery Point Objective (RPO) 

RPO is the amount of work that can be lost and will need to be done again after a data-loss event. It’s usually measured in seconds. The shorter this time is, the better, as it means less data will be lost.

Outsourced It Support
Photo by Andrea Davis on Unsplash

Deploy Backup and Disaster Recovery Today

Having an effective backup and disaster recovery solution provides several benefits. Here are the top six: 

1. Stay protected against natural disasters

The first half of 2020 alone had close to 200 reported natural disasters. While it’s impossible to stop a natural disaster, you can ensure your data is protected and take the necessary measures to prevent downtime. 

2. Minimize the impact of a cyberattack

With the rate of cyberattacks going through the roof and SMEs being a constant target of attacks, it is essential to have a robust backup and disaster recovery solution to protect your business.

3. Safeguard sensitive data

If your business handles sensitive data like Personally Identifiable Information (PII), measures should be taken to ensure it never ends up in the wrong hands. Safeguarding all critical data can build your business’s reputation and prevent regulatory penalties.

4. Quick recovery

It doesn’t matter how disaster strikes. What matters is how quickly your business bounces back. A good backup and disaster recovery solution helps you get up and running as soon as possible. 

5. Reduce the impact of human error

From accidental or intentional misdelivery or deletion to corruption of data, employees can pose a security threat to your business. Deploying backup and disaster recovery is, therefore, crucial. You must also train your employees on the difference between acceptable and unacceptable behaviour.

6. Tackle system failure

Unexpected system failure can lead to downtime if you don’t equip your business with backup and disaster recovery.

Remember, it’s your responsibility to protect your business from data loss and its chaotic aftereffects. If you can’t handle this alone, don’t worry. We’re here for you. With our backup and disaster recovery solutions, we can help build a resilient strategy to protect your business against data loss and give you much-needed peace of mind in the event of a disaster.  

Get in touch today and our specialists will be happy to assist in all things technology, GRC and cyber security.

 

Article curated and used by permission. 

Sources: 

  1. TechRadar 
  2. IDC Report 
  3. GDPR Associates 

Encryption Explained – A Clear and Simple Guide

Encryption Explained - A basic and clear guide
Photo by Markus Spiske on Unsplash

Reading Time: 6 Minutes
The science of encryption has been the answer to the fundamental human need to masquerade and protect sensitive information from prying eyes. Although the technology has witnessed a drastic metamorphosis over the ages, the fundamental concept behind encryption has remained unchanged. Encryption involves substituting the original information with codes that can be deciphered only by authorized parties.  

From the first hieroglyphics of Ancient Egypt appearing almost 4000 years ago and the Scytale used by the Spartan military in 700 BC, to Thomas Jefferson’s Jefferson wheel in 1797 or the Enigma machine popularized by the Nazis during the second world war, encryption has taken different forms over the centuries.

However, one of the major breakthroughs that continue to inspire the modern-day science of encryption came in 1961 when MIT’s CTSS (Compatible Time-Sharing System) developed the first-ever username and password methodology of user authentication.

What can a cyber security company do for my business?

Some of the more recent developments in the encryption technology include the introduction of AES (Advanced Encryption Standard) in 1997, the launch of reCAPTCHA in 2007 and the emergence of personal data lockers in 2012, all of which are used widely to this day.

What Distinguishes Encryption from Cryptography

To fully understand encryption, we must first define its parent category: cryptography. Although often confused with each other, encryption and cryptography are inherently different. We have put together the following list to demonstrate what sets the two apart: 

Cryptography is: 

  • The concept of securing sensitive information by converting it into a secure format for the purpose of transmission across insecure networks. 
  • A field of study that concerns with creating codes through the application of encryption and decryption techniques. 
  • Finds widespread application in digital currencies, electronic commerce, chip-based card payments and military communications.  

Encryption is:

  • Described as the primary application of cryptography and involves concealing confidential data in a way that renders it unintelligible for unauthorized users. 
  • The process of encoding a piece of information by using an algorithm for encrypting and a secret key for decrypting it. 
  • A critical aspect of modern data security. It is used for securing digital signatures and the data stored on smartphones and other mobile devices. It is widely used for safeguarding confidential electronic data, including emails, folders, drives and files.  

Types of Encryption You Must Know About

There are two main ways in which data encryption is carried out today, namely shared secret encryption (symmetric cryptography) and public key encryption (asymmetric cryptography).  

Shared Secret Encryption

As the name suggests, this form of encryption employs a single secret key that is required to encode the data into unintelligible gibberish. The intended receiver can then use the same secret key (shared by the sender) to decrypt and decipher the data at their end.  

Since it uses a single private key, symmetric encryption is faster than asymmetric cryptography. However, since the secret key needs to be shared between the sender and the receiver, there are relatively high chances of hackers intercepting the key and gaining unauthorised access to the coded information. 

Public Key Encryption

Asymmetric cryptography employs public-key encryption that splits the key into two smaller keys — one public and the other, private. While the public key is used to encrypt the message, the receiver must use their private key to decrypt it at their end.    

The fact that there is no prior exchange of secret keys for decryption makes public key encryption more secure than shared secret encryption.

Cyberthreats and Security Risks to Data Protection & Privacy on the Rise

According to the latest report by the Ponemon Institute, the average cost of a data breach is $3.86 million globally. These costs can almost double when broken down by country, industry or business size, jumping to an average of $8.64 million in the United States or $7.13 million for the healthcare industry.

The report points out that 80% of the data breaches included records containing customer PII (personally identifiable information). The study determined that the average cost of each compromised record was $150 and discovered that over 39% of the total cost of a data breach resulted from lost business.

Ransomware Equals a Data Breach

You might be wondering how this impacts you? It means a single data breach could result in a significant hit to your company’s profits and could also result in your brand reputation being tarnished or irreparably damaged.    

Intriguingly, the same report also highlights that extensive data encryption can be a critical factor in mitigating the costs of a breach by as much as $237,176

Most businesses, like yours, deal with loads of sensitive data every single day. Unless adequately secured, this confidential data can be exposed to the risk of being accessed by unauthorized users. Although no business is entirely immune to security breaches, implementing data encryption is your best bet when it comes to protecting your confidential information and safeguarding your reputation as well. 

Multi-Factor Authentication

Backup Encryption is the Way to Go  

With multi-national enterprises like Target, Yahoo and Equifax undergoing major data breaches in the not-so-distant past, you can never be too sure of the fact that your privacy is not at stake. Keeping that in mind, it is worth noting that along with encrypting their original data, many users now are also opting for encryption of their data backups. Here’s some food for thought for those of you who are still mulling over whether or not you need backup encryption:

Pros of Encrypting Your Backups  

  • Encrypting the backup data stored on a local hard drive can prevent unauthorized access to private information in the event of a theft.
  • Most of the businesses today have moved to the cloud for storage of backup data. However, the data stored on the cloud is not as secure as you might think. Encrypting your backup data stored on the cloud is an excellent strategy for strengthening your cybersecurity stance.
  • Since the cloud services provider controls the backups stored on the cloud, encrypting the same will help secure the integrity of the data against unauthorised access by the service provider.
  • Lastly, by encrypting your backups, you can enjoy peace of mind knowing that every last piece of data associated with your business is fully encrypted and secure.

Navigating Backups and training in unprecedent times 

Cons of Encrypting Your Backups

While data encryption is designed primarily to benefit the user and rarely has any drawbacks when properly implemented, one of the risks associated with encrypting your backup data is losing the decryption key. You need to keep your decryption key secure (just like your other passwords) and handy for easy access to your data backups.

Implement Data Encryption Now to Ward Off Cyberattacks

We have compiled a list of our three main reasons why data encryption is imperative for your business:

It is the Last Line of Defense 

Cyberattacks such as phishing and social engineering that thrive on human error or negligence can be efficiently thwarted with the help of encryption. So, even if the attacker is able to reach within your network, it’s impossible to access the encrypted data without a decryption key.

It Protects Your Data on the Go 

With the concept of the workplace becoming more fluid, data stored on portable devices such as tablets, USB flash drives, laptops and smartphones becomes especially vulnerable to cyberattacks as soon as the device leaves the office network. Encrypting this data is the safest way to ensure that even if your device gets stolen, the data will remain unintelligible and unreadable without a decryption key.

It Helps You Stay Compliant 

In a world where you need to stay compliant with laws and regulations to steer clear of hefty penalties, implementing data encryption is a great option to protect your critical data from cyberthreats and abide by the applicable compliance standards. For instance, the European Union’s General Data Protection Regulation (GDPR) recommends encryption as an effective tool against breaches.

Now is the Time to Invest in Encryption Technology

Cybersecurity is one of the most integral aspects of running a business in the modern world, and encryption is one of the most effective strategies that you can deploy to bolster the integrity of your sensitive data against malicious attacks.

Want to know more about how you can leverage encryption to secure your business? Get in touch with us today! Our specialists will be happy to advise in preparing your business with the best systems available in the market.

Want to learn more about Cyber Security? Our blog is full of helpful articles on the topic.

First Step to Compliance: A Thorough and Accurate Risk Assessment

First Step for Compliance
Photo by Long Phan on Unsplash

Reading Time: 3 Minutes
Complying with data privacy and protection regulations wouldn’t give several business owners sleepless nights if it only meant installing a predefined list of security solutions. Compliance goes way beyond this, and for good reasons. In principle, regulators, local or international, want businesses to:

  • Assess the type of data they store and manage 
  • Gauge the potential risks the data is exposed to 
  • List down the remediation efforts needed to mitigate the risks 
  • Undertake necessary remediation efforts regularly 
  • And most importantly, document every single step of this seemingly arduous process as evidence 

Each of the above steps is mandatory and non-negotiable. A closer look will tell you that installing a list of expensive security solutions comes only after the first three steps in the process have been followed. Skipping past these initial steps and acting merely on presumptuous knowledge is tantamount to leaving your business’ future to sheer chance. It’s anyone’s guess what that would lead to. 

To get started in compliance, it’s crucial to Understand and Calculate Organisational Risk.

That’s why we’re going to explain to you why a thorough and accurate risk assessment is truly the first step towards achieving compliance. Moreover, when repeated regularly, it can help you demonstrate continuous compliance while keeping cyber threats at bay.

Security Risk Assessments Unearth Crucial Insights 

A thorough and accurate risk assessment can unearth a host of crucial insights from even the deepest and darkest alleys of your IT environment to ultimately empower your decision making. Having actionable insights at your disposal can help you build strategies to reduce risk levels in practical ways instead of shooting in the dark by testing various tools. 

Here are some of the essential details that become more apparent and unambiguous with every risk assessment. 

The baseline of the System
A risk assessment helps you chart out the lifecycle of all data that is collected, stored and managed in your entire network. 

Identification of Threats
A detailed risk assessment identifies all the possible threats, such as intentional, unintentional, technical, non-technical and structural, that your business data is exposed to.  

Identification of Vulnerabilities
With each assessment, you get the latest list of vulnerabilities prevalent in your network concerning patches, policies, procedures, software, equipment and more. 

Current Status of Existing Controls
From the assessment report, you can also understand the existing security and privacy controls protecting your business against vulnerabilities. 

 RelatedLearn how to create an Asset Register and Risk Register.

Probability of Impact
An accurate assessment report is fully capable of anticipating the probability of a threat that might exploit one of your network’s existing vulnerabilities.  

Strength of Impact
Risk assessment also helps you gauge the possible impact of any threat hitting your business. 

Imagine how easy it would be for you to build and implement a strategy to fix the security loopholes in your business while maintaining a well-documented record of your efforts. 

Why Risk Assessment Is Needed for Compliance 

While assessing whether you did everything in your capacity to ensure full compliance with the regulations, you also need to keep in mind that a regulator seeks evidence of compliance – documented reports. Besides helping you chart a successful path to compliance, a thorough risk assessment adds significant weightage to demonstrating evidence of compliance. When you present the risk assessment reports along with other documentation, you demonstrate how your business carried out due diligence in upholding principles of data privacy and protection. 

Learn more in our article: Gathering evidence to prove compliance.

Please remember that no regulator expects you to have a fail-safe strategy. What matters is uncompromising intent, informed action and undeterred consistency. If you can demonstrate all this, you will most likely avoid any punitive action, as well as a long list of problems that could surface afterwards. 

Help Is Just a Conversation Away 

Contrary to what is often claimed, there are no shortcuts to compliance or to any of the steps that lead to it. At the outset, achieving compliance might seem gruelling. However, it isn’t as bad as it looks when due process and expert guidance is followed. 

A conversation with us is all you need so we can help you walk through the complexities of risk assessment with diligent and customised guidance. Get in touch today to receive specialised advice.

Looking for more info on risk management? We have many articles addressing this topic in the Compliance section of our blog. Check it out and let us know if it brought more clarity to your business.

Navigating Backups and Training During Unprecedented Times 

Navigating during unprecedent times - backup and security awareness training
Photo by Heidi Fin on Unsplash

Reading Time: 3 Minutes
The surge in cybercrimes against businesses during the COVID-19 pandemic proved how flexible nefarious cyber players are, ready to twist and turn according to a situation to make profits out of a business’ failure. Remember that it could happen to any organisation, including yours, if you do not arm your business with a robust backup solution and periodic security awareness training.

It’s alarming that phishing shot up by 67% since the start of the pandemic. Initially, when this turn of events stunned the world and businesses struggled to adapt to the new normal, hackers pretending to be the World Health Organization (WHO) duped people into clicking on malicious links or sharing sensitive information. Such evil tricks, if not tackled, can easily violate your business network and lead to a terrible disaster, compromising invaluable data. 

8 Steps to secure remote working for the Covid 19 lockdown 

For instance, in November 2020, the Internal Revenue Service (IRS) in the USA issued a warning regarding an SMS-based phishing scam through which hackers cheated citizens in the name of a ‘COVID-19 TREAS FUND’. When someone clicked on the link provided, they were redirected to a website identical to www.irs.gov, and the site collected their data. This scam is just the tip of an iceberg of phishing scams that unfurled in 2020. 

Cyber security awareness is vital. What if one of your employees fell prey to such a scam? A careless mistake like that could result in a successful cyberattack on your business that can have severe repercussions like data loss, downtime, hefty penalties, lawsuits or even permanent closure.  

The sudden appearance of COVID-19 caused a sense of panic among businesses. With the virus spreading like wildfire, the work-from-home model was the only available option to maintain a safe working environment. However, the unprecedented scale of remote work has endangered the security of several businesses, including yours. If you do not fix the gap between the preparedness and efficacy of your backup and security defences, data loss might be the first of many problems you could face.

Why Backups and Security Awareness Training Matter?

Backups can be a lifesaver for your business by protecting your valuable business data from being deleted or altered by malicious cybercriminals. Although the pandemic acted as a catalyst for backup adoption, only 41% of businesses back up their data at least once a day. That is not a very healthy practice, and you must make sure proper policy development, regular testing and continual reviews fuel your backup strategy.

Backups are part of a broader Disaster Recovery strategy. Read Does my SME need Disaster Recovery? to learn more.

Besides protecting your sensitive data, backups can help reduce severe downtime, improve your business’ reputation and act as a single access point for your entire database.

Backups

Even if you have all your backups in order, a negligent employee can still be a threat to your business data. In 2020, the San Jose Federal Court convicted an employee from a global MNC for carelessly deleting business-sensitive data. Thus, the only way to tackle the factor of human error is through regular security awareness training.

For more details on security training, read: Employees are your biggest cyber security risk

Always bear in mind that backups and security awareness training are equally important when it comes to your business successfully warding off cyberattacks that can result in downtime, data loss and more. Selecting one over the other can dilute your business’ counter-threat strategy. Undoubtedly, by meticulously implementing a robust backup and regular security awareness training, your business can deal with harsh times like the current pandemic as well as cyber threats that exploit such difficult periods. 

Empower Your Business Now 

If there’s one lesson the pandemic has taught businesses, it’s that it’s better to be safe than sorry. The business world is at a critical juncture, and your proactive approach can make or break your business’ future. While a world without cybercriminals would be great, such a utopian world unfortunately does not exist. The only way forward is through the smart implementation of the best strategies to protect your business data, processes, systems and people. And for that, you must empower your business by integrating backups and comprehensive security awareness training.

Remember, you don’t have to take the first step to a safer tomorrow alone. The right partner by your side can make your journey easier and more successful. It all begins with a simple email to us. Get in touch today

 

Data Sources:

  • Security Magazine Verizon Data Breach Digest 
  • Security Magazine 
  • Help Net Security Magazine 
  • Bloomberglaw.com 

Ransomware Equals a Data Breach

Ransomware Equals Data Breach
Photo by Charles Deluvio on Unsplash

Reading Time: 3 Minutes
From a data regulator’s perspective, it is the responsibility of your business to keep data safe from cyber threats, inform clients about a breach within a stipulated period and provide necessary documentation as proof of your efforts. Although different regulations have laid down separate mandates for breach notifications, the principle remains intact.  

While there is an overarching belief that data isn’t really “stolen” in a ransomware breach, no organisation hit with ransomware has been able to back this up as fact. That’s why compliance regulations such as HIPAA, GDPR and CCPA, among others, mandate businesses to notify their clients if their data is in jeopardy.

Learn more about Ransomware and how to avoid it in our complete guide. 

Many businesses, however, tend to operate in something of a ‘grey area’ when it comes to notifying their stakeholders about data breaches. In this blog, we’ll tell you why going down this route can backfire and why your business needs to adopt an inclusive approach that combines the best of cybersecurity and compliance.  

The Grey Area of Notifying Customer about a Data Breach

An increasing number of businesses seem to think that not all ransomware attacks need to be reported since not all hackers can decrypt the data they have encrypted themselves. They assume that only during sophisticated attacks do hackers possess the necessary skills to encrypt, exfiltrate and misuse data. Only in such cases do businesses accept that a breach has occurred and is hence, reportable.

However, this assumption is dangerous for two reasons. First, with enhanced ransomware-as-a-service tools readily available in the market, even a hacker with minimal skills can catch you off guard and wreak havoc. Second, regulatory agencies perceive the situation differently.

Having IT security controls in place will minimise your risk. Learn more in this article.

For example, as per HIPAA’s Privacy Rule, the U.S. Department of Health and Human Services has advised companies to assume that ransomed data contains Personal Health Information, even in “low probability” cases. In fact, some state data breach notification regulations mandate businesses to notify customers even in the case of “unauthorised access” without the need to prove that personal data was stolen. 

Why Businesses Choose Silence Over Breach Notification

Accepting a data breach of any kind isn’t easy for any business due to the severe financial and reputational repercussions. But there are other reasons why companies choose to stay quiet.

Inability to Comply With Data Breach Notification Norms

As rudimentary as it may seem, most businesses lack the ability to adhere to breach notification norms set by several regulations worldwide. Even if a company avoids reporting a ransomware attack, failing to notify its customers or clients on time will still invite stringent action from regulators.  

GDPR – the European Union’s data privacy and protection regulation – has set a 72-hour deadline to report the nature of a breach and the approximate number of data subjects affected. From the moment a business’ IT team establishes, with a level of certainty, that a violation has occurred, the clock starts clicking. 

Is your business capable of adhering to such norms?

Secure Remote Working

The ‘Victim Versus Victimizer’ Perception

Let’s assume a business reported a ransomware breach to its stakeholders and the relevant authorities. On one hand, the law enforcement agencies investigating the matter would perceive the business as a victim, even if it paid the ransom, while on the other hand, the regulators might deem the business to be the victimiser of its customers for failing to protect their data. 

If the business is found to be non-compliant with the necessary security mandates after an audit, the regulators will undertake punitive action after assessing a list of factors. Sony Pictures faced a similar scenario in 2014 post a security breach, which impacted some of its employees. 

Reputational Damage

A staggering 78% of people stop engaging with a brand online following a data breach. While your business could still recover from the financial damage caused by ransomware-induced downtime, rebuilding its reputation and regaining the trust of your customers is a long, tedious and, more often than not, futile process. This is one of the main reasons why businesses abstain from reporting a ransomware breach. 

In these situations, having a Disaster Recovery strategy in place could be life-saving for a business.

You Need to Cover Both Ends

While there isn’t a 100% fail-safe strategy to avoid cybersecurity attacks such as ransomware, your business can undoubtedly demonstrate its commitment to preventing security breaches or data loss incidents. This is exactly what compliance regulators, as well as your key stakeholders, look for – how proactively your business can mitigate risk and handle the aftermath of a breach while also adhering to applicable regulations. 

Adopting an inclusive approach that involves the best of cybersecurity and compliance is a step in the right direction. Partnering with an experienced MSP that has a track record of protecting businesses from sophisticated cybersecurity threats and non-compliance risks will greatly benefit your business.

Schedule a call with us today and let us help you proactively meet all your cybersecurity and compliance needs. Our specialists will be happy to explain how we do things and develop a strategy tailored to your business.

Ransomware Explained – The Cybercrime that has struck the HSE

Ransomware Cyber Attack hits HSE Ireland

By: Mark Hurley
Reading Time: 6 Minutes
Recently, the HSE – Irish Health Service Executive and the Department of Health – were struck with a Ransomware attack that shocked the country and made news all over. We’re looking to bring more information on how such attack was made possible and how you could protect your business from one. Keep in mind that small and medium organisations are the main targets for cybercriminals today, mainly because of their lack of awareness and protection.

In today’s article, we’ll be explaining what is Ransomware, how it happens, and a few basic methods to avoid it. If you’re looking for a full detailed guide including info on the best tools and procedures to protect your business, we have it in this link: What is Ransomware and How to Avoid it – The Complete Guide.

What is Ransomware

A successful ransomware attack can be devastating to a business. Organisations caught unprepared could be left with the choice between paying a ransom demand and entirely writing off the stolen data. 

In our day-to-day cyber security practice, we perform many assessments with new and potential clients. Among this wide variety of professional companies, we find a very different understanding of the threat Ransomware poses to their businesses.

There are the unknowledgeable optimists that believe it will never happen to them. Clearly, this is not a recommended stance.

There are also the informed optimists that believe they have all angles of protection covered. That may or may not be the case. Assumptions can be dangerous. 

Finally, there are the affected pessimists – the ones who have suffered from a Ransomware attack and for whom it may be too late. We receive calls from complete strangers asking how they deal with a Ransomware hit. We always ask the same two questions – do you have a backup, and do you carry Cyber Liability Insurance. The silence at the end of the phone can be deafening. 

Whichever of these groups you belong to, it is vital to become informed and engage with preventative measures. That way, you can plan for the worst outcomes so your business can continue to thrive after such an attack.  

The purpose of this article is to provide that information and to provide some of the measures required to both prepare and recover if your business is impacted by a ransomware attack. 

Ransomware is a multibillion dollar criminal enterprise executed by Cyber Criminals to disrupt access to your systems, business, and personal information. It is a form of malware that encrypts a victim’s files. The attacker then demands a ransom from the victim to restore access to the data upon payment.

Mail Protection Inboud & Outbound Protection

Once infected, the attackers demand a ransom (generally in Bitcoin) to liberate access to your data and critical business systems. Worryingly, this activity is on the rise at an exponential rate. Research suggests that in 2020 a new organisation was hit by a ransomware attack every 14 seconds and that Ransomware incidence increased 50% in Q3 in 2020 alone.

Adding insult to injury, the Cyber Criminals are leveraging the current Covid crisis to target vulnerable remote workers and infect susceptible organisations. Cybersecurity Ventures predicts that ransomware damage will exceed $20 billion by 2021. It is so effective because it takes many guises. You must be aware of all of them to protect your data and your entire network effectively.

Case Study: The NHS

The HSE attack was not the first time cybercriminals targetted healthcare organisations. A famous example of ransomware is the WannaCry attack of May 2017. This was a piece of malware that infected over 230,000 computers across 150 countries within a single day. It encrypted all files it found on a device.

WannaCry mainly affected large organisations. The National Health Service in the UK being one of highest profile targets affected. Surprisingly, the attack’s impact in the UK was lower than it could have been. Due to the fact it was stopped quickly, and it did not target extremely critical infrastructure, like railways or nuclear power plants. However, economic losses from the attack were still estimated to be over 90 million pounds for the UK alone and about 6 billion pounds worldwide. 

Recently, 22 cities in Texas were hit with ransomware in September 2019. The attackers demanded $2.5 million to restore encrypted files, leading to a federal investigation. Moreover, ransomware is especially prevalent in financial and healthcare organisations, with cyber-criminals targeting 90% of these businesses last year.   

How Does Ransomware Happen?

Ransomware begins with malicious software being downloaded by an unwary person through an infected email or link onto their computer or smart device.

Once Ransomware infects an endpoint, it will run free wherever it has access. In seconds, the malicious software will take over critical process on the device. Then search for files to be encrypted, meaning all the data within them is inaccessible.

The ransomware will then infect any other hard drives, network attached devices etc, taking out everything in its path – including backups. 

This entire process happens extremely quickly. In just a few minutes, the device will display a message that looks like this:  

Wannacry Ransomware Attack instructions screen
Figure 1: WannaCry Ransomware Attack

This is the message that displayed to users who were infected with the WannaCry ransomware attack. As you can see, it’s a ‘cyber blackmail’ note. Users are informed that they have been locked out of their files and must pay to regain access.  

The people within your organisation are often your most significant security risk. The major issue here is a lack of awareness and staff education about security threats. Many people are unaware of what threats look like and what they should avoid downloading, leaving you open to risk. 

There has been a massive growth in Security Awareness Training platforms, which train users about the risks they face online, at work, and at home. Awareness Training teaches users what a suspicious email looks like and the best security practices to follow to stop ransomware. Such as ensuring their endpoints are updated with the latest security software. Security Awareness Training solutions typically also provide phishing simulation technologies.   

It may not seem obvious, but identity theft lies at the core of a lot of backdoor Ransomware attacks. Hackers use administrative and other accounts to gain a foothold in your core systems. Adding MFA – MultiFactor Authentication makes the possibility of elevating privileges and giving the attacker the keys to run ransomware without barriers. MFA comes free with most Microsoft 365 packages, and more in-depth solutions also exist that extend more granular protection to all devices in the organisation.

Continuing the use of End of Line hardware and software increases your risk heavily. Over time, attackers discover the security vulnerabilities that are widely released by larger corporations. Many organisations rely heavily on older computers/software that are no longer supported, meaning they are open to vulnerabilities. Organisational security policies often overlook hardware/software that is out of date.

This dramatically increases the organisation’s risk of falling victim to an attack. Keep your operating system and 3rd party applications patched and up to date to ensure you have fewer vulnerabilities to exploit.

Preventing and Stopping Ransomware

One of the most important ways to stop ransomware is to have strong endpoint security. A program that blocks malware from infecting your systems when installed on your endpoint devices (phones, computers, etc.). Just be sure that Ransomware protection is included when you’re searching for a security package, as many traditional Anti-Virus products are not equipped to defend against modern Ransomware attacks.

As ransomware is commonly delivered through email, email security is key in preventing ransomware. Secure Email Gateway technologies filter email communications with URL defences and attachment sandboxing to identify threats and block them from being delivered to users. This stops ransomware from arriving on endpoint devices, while blocking users from inadvertently installing malicious programs onto their machines.

How to Identify a Suspicious Email? Click here to learn more. 

DNS Web filtering solutions stop users from visiting dangerous websites, downloading malicious files, and blocking ransomware spread through viruses downloaded from the internet, including trojan horse software. DNS filters also block malicious third-party adverts. Isolation technologies completely remove threats away from users by isolating browsing activity in secure servers and displaying a safe render to users. Moreover, Isolation does not affect the user experience. These solutions deliver high-security efficacy and seamless browsing.

Backups

Once a ransomware attack succeeds and your data is compromised, the best protection for your organisation is to restore your systems quickly and minimise downtime. The most effective way to protect data is to ensure that it is backed up in multiple places, including your main storage area, local disks, and a cloud-continuity service. In the event of a ransomware attack, backing up data means you will be able to mitigate the loss of any encrypted files and regain functionality of your systems. Cloud data backup and recovery is a crucial tool in remediating against Ransomware.

Learn more about Disaster Recovery in this article.

Reducing the risk and damage of Ransomware requires a mix of frameworks, policies, training, and technology. The best companies perform a detailed GAP analysis using a Cyber Security framework such as the NIST CSF in conjunction with security controls such as the CIS 20 controls. This approach leads to better outcomes, and it’s how we commonly proceed with our customers.

Feel free to get in touch if you have doubts or would like to learn more about protecting your business against cyber security threats. Our team of experts will be happy to offer advice and guide you through what an effective strategy looks like for your business.

How to Ensure Compliance When Working Remotely

Compliance Regulations Remote Work
Photo by Siniz Kim on Unsplash

Reading Time: 4 Minutes
The ongoing COVID-19 pandemic has presented businesses worldwide with many unique challenges when it comes to their day-to-day operations. With every company trying its best to survive in this unprecedented climate, remote working has become a critical factor in keeping operations up and running. However, this adaptation has exposed businesses to a whole new level of cybersecurity and compliance threats. 

With cybercriminals preying on vulnerable home networks and work-from-home employees saving files on their local drives, the threat to business data is at an all-time high. According to the Coverware Ransomware Marketplace Research report, the average ransomware payment for Q2 2020 stood at $178,254. This is a whopping 60% increase from the Q1 2020 average payment.  

Despite the increasing magnitude of cyber threats, organisations can still make the most of the great solutions available to them to successfully overcome this menace even when their entire workforce is working remotely. 

Is your business vulnerable? Read our 8 Steps to secure remote working during the covid 19 lockdown

In this blog, we’ll take a look at the most significant compliance and security concerns associated with remote work and how to overcome them.

Challenges to Security and Compliance With Remote Work 

When remote working became ubiquitous across the world, most organisations were forced to adapt to this change without solid policies or processes to maintain standards. Due to this, even some of the top companies are still catching up on their compliance adherence measures while facilitating remote work. 

Businesses of all sizes face the following challenges when working with remote employees:

  • Reduced security: When the lockdown started, employees took their business devices home and used them on their home networks. They also occasionally use their personal devices for office work. This poses a great threat to business data since organisations have very little control over security. 
  • Inability to enforce best practices: When operating within their office environments, companies can ensure their employees follow data security best practices. However, the scenario is vastly different with remote work. There’s every possibility that employees may use shared networks or public Wi-Fi connections to perform their work, adding to security complications. 
  • Inadequate backup: With remote work becoming the norm, the threat to data is significantly higher now. Unfortunately, data backup failure is quite common as well. That’s why organisations need to make sure they have multiple copies of their critical data in case their remote servers are compromised. 
  • Lack of employee awareness: Although most organisations follow best practices regarding employee and customer data, human error is still a major threat to security and compliance. Remote employees need to be provided with proper awareness training on how to handle data and on the best practices to follow. The most secure companies manage to make cyber security awareness second nature.

Best Ways to Ensure Compliance During Remote Work 

Although remote setups make compliance more challenging than usual, organisations can incorporate the following best practices to boost their security and comply with various regulations.  

1. Create a cybersecurity policy

If you don’t have a cybersecurity policy in place already, it’s time to create one. Organisations must develop a cybersecurity policy suitable for remote work. This policy should cover the various steps employees need to follow at personal as well as professional levels. By establishing proper standards and best practices for cybersecurity, organisations can minimise their risk exposure.

Cyber Security
Photo by Maarten Van den Heuvel

2. Incorporate a consistent data storage policy 

Without a standard cloud storage policy, employees are likely to store and handle data the way they see fit, which is certainly not advisable. There should be a shared repository on the cloud to back up files instantly from different sources. In many cases, the rogue copies that employees store on their local drives can pose a major threat to data security and create inconsistencies in storage policies. You need to make sure that data storage policies are strictly followed throughout the organisation. 

3. Increase remote monitoring 

During remote work, endpoint management and cybersecurity policies are impossible to incorporate without the power of automation. You need a robust remote monitoring solution that manages all your endpoints and helps you adhere to compliance regulations. When you have complete visibility into the entire remote working network, you can minimise vulnerabilities and security threats.

4. Increase employee awareness through training

Since human error is highly likely in all organisations, proper training should be provided to remote working employees. This training should focus on some of the most common and significant issues such as clicking questionable links, being wary of messages from untrusted sources, having strong passwords, implementing multi-factor authentication, etc. If your organisation falls under specific compliance regulations, you need to provide additional training to data-handling employees regarding the best practices to be followed. 

Your Employees are your biggest Risk. Learn more about this and how to train them in this article.

5. Use the right tools and solutions 

As cybercriminals and their tactics continue to evolve, you need to make sure that you use the right software tools and solutions to combat this threat. In addition to remote monitoring software, you need to use the appropriate antivirus, cloud backup, password manager and more. You also need to make sure that these solutions are properly integrated into a comprehensive platform.  

What Businesses Need 

Ensuring compliance is a critical task by itself. Doing that while implementing remote working policies and procedures can be overwhelming for many organisations. Your business must invest in a security solution that allows it to protect your valuable data and meet compliance regulations even in a remote working setup. 

With the right partner, this task becomes much more manageable. Reach out to us today, so we can help you develop an effective compliance strategy suitable for your needs.

Thanks for reading! For more articles on Compliance and Remote Work, visit our blogFollow us on Social Media for more exclusive content, and as always, if you have any feedback or questions about this article, please do not hesitate to use the comment box below.

 

Protecting Your SaaS Data Is Your Responsibility

Protecting your SaaS Data is your Responsibility
Photo by Austin Distel on Unsplash

Reading Time: 4 Minutes
Businesses worldwide are investing heavily in software-as-a-service (SaaS) or cloud computing solutions in the search for flexible, reliable and affordable software infrastructure. The International Data Corporation (IDC) anticipated the cloud software market to reach $151.6 billion by 2020, but that was before the global pandemic hit, which triggered a rapid shift to remote work environments. However, it’s still highly probable that this prediction has already been surpassed, with this exceptional growth only bound to strengthen in the ‘new normal.’ Unfortunately, this growth has also made the cloud a darling of cybercriminals, which means nothing on the cloud is 100% safe. 

Your SaaS data, which is more accessible, and in some cases, more secure within a cloud infrastructure, is not fully protected from loss or corruption. If you, as a business, choose to look away from this glaring reality, you would be acting willfully ignorant. Through this blog, we’ll tell you how your SaaS data is only partially secured by SaaS platforms and give you three reasons why you must back up your SaaS data.  

How Your SaaS Data Is Actually Protected 

While responding to a survey by ESG, 37 per cent of IT executives admitted that they believed SaaS providers fully protected their business data. While this is not entirely false, it isn’t entirely true either. SaaS providers protect your data only concerning accessibility and availability (downtime at their end) and infrastructure-related failures or threats.   

Here’s how leading SaaS providers, like Google and Microsoft, for example, secure your SaaS data. 

G Suite: Google stores multiple replicas of your data at various locations, ensuring the data remains accessible in the event of a hardware failure. Although its infrastructure doesn’t offer native backup capabilities, it provides high availability (HA) with erasure code. 

Office 365 (O365): Given that the infrastructure of O365 is not unified, the backup capabilities for each application differ. O365 offers various backup options, but you must remember that even in its service level agreement (SLA), Microsoft only addresses the availability of data, not its recoverability. And yet, 57% of those responding to ESG’s survey relied on O365’s native recovery functionality, while 27% did not have any in-house recovery capabilities. 

Simply put, both G Suite and Office 365 offer, at best, temporary archives of your data. However, archives are not the same as reliable backups that you can recover or restore from. They neither guarantee protection of your data from prevalent threats nor data recovery post a security disaster. 

Three Reasons Why You Need SaaS Backup 

Having understood that your SaaS data is only partially protected, it’s time to look at three reasons why you need to tighten up loose ends and avail SaaS backup immediately. 

Reason 1: Various Data Loss Risks and Security Threats at Your End 

Here are some threats looming over your organization’s data and hardware/software infrastructure that can cause severe damage – enough to grind your business to a temporary or permanent halt:  

  • User error: Whether it’s falling for a phishing scam or mistakenly deleting crucial data, user errors have accounted for 23% of security breaches in 2020. 
  • Illegitimate deletion requests: It’s impossible for a SaaS provider to determine whether a deletion request was done in haste or with malicious intent. It will honour your deletion request no matter what. One illegitimate command and poof! Your data will vanish. 
  • Sync errors: While introducing third-party tools into your IT environment helps streamline your business, it leads to the possibility of your valuable SaaS data becoming vulnerable. 
  • Insider threats: Malicious insiders have accounted for 30% of data breaches in 2020. One employee with malicious intent is enough to bring the whole house down. 

In their respective SLAs, not even leading SaaS platforms, such as G Suite, Office 365 and Salesforce, guarantee the security of your data from vulnerabilities at your end.

Photo by DocuSign on Unsplash

Reason 2: “Shared Responsibility” 

Contrary to popular belief, SaaS providers are not responsible for protecting the integrity or availability of your data. Cloud security and data protection is a shared responsibility where cloud service providers (CSPs) are responsible for the security, reliability and accessibility of their cloud product or solution infrastructure, while customers are responsible for securing the data they upload and store on the cloud. 

Essentially, you are ultimately responsible for protecting your organization’s data from loss, destruction or unauthorized access and ensuring that the data is logistically, operationally and contractually secure and viable.  

Even global data protection regulations, such as GDPR and HIPAA, have defined and emphasized the accountability to be shared by the controller (your business) and the processor (third-party service providers such as SaaS companies). It’s time for you to do your part. A study by Extra Hop claimed that by 2022, at least 95% of cloud security failures would be the customer’s fault. You wouldn’t want to be counted among those businesses, would you? 

Reason 3: SaaS Providers Lack a Robust Backup 

A robust backup should ideally fulfil four basic needs – ease of backing up and accessing data, built-in capability to secure data from unauthorized access, quick recovery of data, and compliance with all significant data regulations. Merely relying on SaaS providers to protect your SaaS data will not fulfil any of these needs. In the absence of a proper and complete backup, you are essentially playing Russian roulette with one of your businesses most valuable and vital assets – its data. 

Invest in the Right Backup Solution Today 

If you continue to wait much longer, you will eventually fall victim to a nefarious cybercriminal or even a simple, honest employee mistake that could compromise crucial data your organization runs on.   

By investing in the right backup solution, you can ensure that your organization’s data is protected from a wide range of threats and drastically minimize the risk of a data breach. Talk to us today to help us set you up with an enterprise-class and robust SaaS backup solution that is tailor-made for your business.

Making Cyber Security Awareness Second Nature

Cyber Security Training for staff
Photo by Blackcreek Corporate on Unsplash

Reading Time: 3 Minutes
Your business’ cyber security program must start with your employees and robust security policies rather than entirely depending on your IT team or the latest security solutions. You can significantly reduce the likelihood of a data breach by combining a well-drafted cybersecurity policy with comprehensive security awareness training.

It is your responsibility to implement security training for all your employees so that your organization can withstand cyberattacks and carry out business as usual. Regular training will also help you develop a security-focused culture within your business and make cybersecurity awareness second nature to your employees.

Your Employees are your Biggest Cyber Security Risk. Learn why in our related article.

Cybercriminals can target your employees at any moment to gain access to sensitive business data. However, if your employees receive regular security awareness training, their calculated decision-making and quick response can effectively block deceiving threats.

Security Culture and Its Influence on Employees

Conducting a one-time employee training session for the sake of compliance does not adequately benefit your business’ cybersecurity posture – the key here is consistency. It is regular security awareness training that can truly protect your business from looming cyber threats that are constantly on the rise.

The following statistics shed light on why security awareness training is essential in today’s threat landscape:

  1. Human errors cause 23 per cent of data breaches.
  2. Over 35 per cent of employees do not know about ransomware.
  3. Nearly 25 per cent of employees have clicked on malicious links without confirming their legitimacy.

The aim of developing a security-focused culture is to nurture positive security habits among employees. For example, the simple practice of locking one’s computer screen when leaving the workstation unattended can prevent data from being accessed by unauthorized users.

Once you properly train your employees, they will be more aware of the business’ security policies and realize that their employer’s cybersecurity is their responsibility as well.

Unaware employees are your most significant cyber security risk. However, once trained, they act as your first line of defence.

Helpdesk Integration
Photo by Berkeley Communications on Unsplash

Tips to Implement Effective Security Awareness Training

Until recently, companies would impart security awareness training as lectures using a slide deck. Businesses conducted these training sessions once a year or once during induction. However, these sessions proved ineffective because of their uninteresting nature and lack of follow-up sessions.

Training your staff will help you avoid both the Invoice Fraud and the CEO/CFO Fraud. Click the links to learn more.

If you intend to develop a security-focused culture, implementing robust security awareness training is crucial. Here are a few tips that can help you effectively implement security training:

  1. Make the training sessions interactive – Your employees will show more interest if you deliver training in high-quality video format since it grabs more attention. Add text content only as a complementary piece to the video. Ensure that the presentation is appealing to your employees so that they do not miss out on essential details. Also, make sure your employees can clear their doubts through face-to-face discussions or virtual conversations with subject matter experts.
  2. Break the training into smaller modules – Since the attention span of your employees will almost certainly vary from one to another, breaking training sessions into smaller modules will help them retain information faster as a whole. You can regularly send training modules to your employees to ensure they are up to speed on the latest security topics. Smaller units have a better chance of retention than lengthy pieces of content.
  3. Facilitate self-paced learning – Give your employees the freedom to learn at their convenience. This, of course, does not mean deadlines should not be set either. Make sure you give your employees sufficient time to complete each training module based on its complexity.
  4. Training must include relevant material – The training material must not contain any outdated information. Given how quickly the cyberthreat landscape is changing, the program must be updated regularly and cover new cyber threats so hackers don’t end up tricking your employees. Please remember that the content should not be overly technical. The training material must be imparted in an easy-to-understand manner, so employees have no trouble applying it in daily work scenarios.
  5. Conduct reviews with quizzes and mock drills – To assess your employees’ preparedness, you must conduct regular tests, including mock drills, that assess alertness based on their response to simulated scams.

Transform Your Weakest Link Into Your Prime Defense

Regular security awareness training can help develop a transformative security culture within your business, thus enabling your employees to detect even sophisticated cyber threats and undertake adequate action.

We understand that implementing robust security awareness training can be a bit challenging. However, you have nothing to worry about. We can help you seamlessly integrate security awareness training into your business operations to make your employees the first line of defence against existing or imminent cyber threats. Get in touch with us today, and let’s get started.

Thank you for reading! For more security and technology advice, visit our Blog.
Follow Spector on our Social Media channels for more exclusive content.

How to Effectively Manage Supply Chain Risks

Securing Supply Chain
Photo by Elevate on Unsplash

Reading Time: 4 Minutes
Digital transformation has made many things easier for businesses, right from inventory management and order processing to managing financials. On the flip side, however, it has also made companies more vulnerable to cyberattacks and data breaches. A breach occurring anywhere in the supply chain could end up seriously disrupting your operations. So, how do you safeguard your business against these threats? 

Deploying a bunch of security solutions within your company is not enough. For starters, it can’t guarantee the prevention of human errors and insider threats, which are major causes of data breaches. Besides that, it doesn’t precisely address the weak links in your supply chain. Global supply chains have grown vast and complex, making it virtually impossible to pinpoint failure points or avoid risks entirely.

The Invoice Fraud commonly hits unprotected suppliers. Learn about it with this article.

In other words, it is time to stop considering cybersecurity and data protection as just a technology problem that exists within your organization. The scope is much, much larger. It is also a people, process and knowledge problem that extends to your entire supply chain. That means your preventive and corrective measures should proactively address risks within your supply chain.

Let’s take a look at some key strategies and controls that can help you effectively manage and avoid supply chain risks effectively.

Make Supply Chain Security a Part of Governance

Addressing supply chain risks on an ad-hoc basis will only create ambiguity and chaos. Instead, you need to make it a part of your security activities and policies. This way, employees will know how to coordinate with third-party organizations and what kind of security activities must be undertaken. 

Supply chain cybersecurity strategy best practices include:

  • Defining who is responsible for holding vendors and suppliers accountable
  • Creating a security checklist for vendor and supplier selection
  • Specifying how to evaluate and monitor suppliers’ cybersecurity practices and how often
  • Setting up a mechanism for measuring performance and progress

Take Compliance Seriously

With cyberattacks and data breaches increasing and impacting more people than ever before, the emergence of numerous compliance regulations has come to the forefront. For instance, if you are part of the defence industrial base, you must be Cybersecurity Maturity Model Certification (CMMC) compliant. There are many more out there, such as GDPR, HIPAA, PCI DSS, etc., each applicable to a particular industry or specific focus area.

Want to get your business compliance-ready? We recommend our Guide on NIST – you can use it to create a base for several standards.

In most cases, to prove and maintain compliance, companies must undergo several detailed assessments, produce different reports and documentation, implement certain best practices and more. You can avoid weak links in your supply chain by making compliance with these regulations mandatory for your vendors. 

Besides that, you need to ensure your business remains compliant with laws applicable to you as well. Not only does it strengthen your cybersecurity and data protection posture, but these regulations also act as a guide for everyone on your team to follow. Since these regulations are often updated, it ensures the measures you take align with industry standards.

PC & Mac Encryption

Deploy Comprehensive and Layered Security Systems Internally  

Threat prediction is virtually impossible if you have a large number of third-party vendors. The attack surface is massive, making it almost impossible to guard against. What you need is comprehensive and layered security.

It is a more holistic approach, where each layer of your IT infrastructure is protected by a series of different solutions that make up for each other’s vulnerabilities. So, even if your firewall fails to defend an attack vector, you still have multiple layers of defence protecting your data, including antivirus, access control, intrusion prevention systems and data encryption. 

The layered approach to security also calls for regular training and testing of your employees since they are usually your first line of defence. For instance, if your team knows how to identify a phishing email, your data won’t be compromised even if your phishing filter fails.

Do you know how to identify a phishing email? Learn how in this article.

By not relying on any one solution to protect your sensitive data and files, you disrupt the cyber kill chain. This will allow you to prevent, detect and respond to cybersecurity risks more effectively.

Adopt and Enforce International IT and Data Security Standards 

Because modern supply chains are so interconnected, you have to interact and collaborate with your vendors constantly. This means vast amounts of data are exchanged, including sensitive customer information such as medical records, PII and financial data. The data must be stored securely (with continuous monitoring and real-time alerting), and access to it must be regulated.

But how do you guarantee this? By adopting and enforcing international IT and data security standards such as GDPR and HIPAA. These standards ensure companies keep track of the sensitive data they acquire, produce it when challenged, and implement adequate measures to secure the data. Besides that, when selecting a SaaS vendor, you should find out if they are SOC 2 or ISO27001 compliant. This indicates that the vendor is securing information as per industry standards.

ISO 27001 vs NIST – why choose one? Read to find out.

Wrapping Up

With supply chains becoming more interconnected and smarter, now is the time to identify and secure weak links in your supply chain. Collaborate with your partners, find out potential vulnerabilities and compliance violations, and work together to mitigate those risks.

We have another article with more practical tips on securing your supply chain available at this link: Recommended Best Practices for a Secure Supply Chain. With this content, you should be able to bring much more security to your business.

To find out how to deploy layered security and how you can secure your data while staying compliant with regulations, get in touch. We’ll be happy to understand your concerns and provide our recommendations and strategic advice.

Your Biggest Cybersecurity Risk: Your Employees

Unaware Employees - Your biggest cyber security risk
Photo by Alexandre Boucher on Unsplash

Reading Time: 3 Minutes
Cybercriminals work round the clock to detect and exploit vulnerabilities in your business’ network for nefarious gains. The only way to counter these hackers is by deploying a robust cybersecurity posture that’s built using comprehensive security solutions. However, while you’re caught up doing this, there is a possibility you may overlook mitigating the weakest link in your fight against cybercriminals — your employees. 

With remote work gaining traction and decentralized workspaces becoming the new norm, businesses like yours must strengthen their cybersecurity strategies to counter human errors and data breaches perpetrated by malicious insiders. All employees, irrespective of their designation/rank, can expose your business vulnerabilities to cybercriminals.

Untrained employees are putting your business at risk of Invoice Fraud. Learn about it in this article.

Implementing routine security awareness training for employees can help you prevent a vulnerability from escalating into a disaster. As the first line of defence against cyberattacks, your employees must be thoroughly and regularly trained to identify and deflate potential cyber threats.

Why Employees Pose a Risk to Businesses?

According to IBM’s Cost of a Data Breach Report 2020, 23 per cent of data breaches in an organization occurred because of human error. An untrained employee can compromise your business’ security in multiple ways. Some of the most common mistakes committed by employees include: 

  1. Falling for phishing scams: With the onset of COVID-19, hackers masquerading as the World Health Organization (WHO) tricked people into clicking on malicious links and sharing sensitive information. Cybercriminals are using improved techniques, like spoofed emails and text messages, to propagate the ongoing scam. Your employees must be well-trained to counter it. To learn and train your people in Identifying Phishing Email, view this article.
  2. Bad password hygiene: A section of your employees might reuse the same password or a set of passwords for multiple accounts (business and personal), which is a dangerous habit that allows cybercriminals to crack your business’ network security. Improve your Password Hygiene by reading this article.
  3. Misdelivery: Even slight carelessness can lead to an employee sending sensitive, business-critical information to a hacker. Such an act can cause lasting damage to your business, which is why you must be prepared to counter it.
  4. Inept patch management: Often, employees can delay the deployment of a security patch sent to their device, leading to security vulnerabilities in your business’ IT security left unaddressed. 

The bottom line is that with cybercriminals upgrading their arsenal every day and exploring a plethora of options to trap your employees, security awareness training has become more critical than ever before.

Employees - biggest risk at an organisation
Photo by Brooke Cagle on Unsplash

Security Awareness Training: An Essential Investment

A one-time training program will neither help your employees repel cyberthreats nor help your business develop a security culture. To deal with the growing threat landscape, your employees need thorough and regular security awareness training.

The CEO/ CFO Frauds can also be avoided with employee training; learn about it here.

You must never back out of providing continual security awareness training to your employees just because of the time and money you need to invest in it. The return on investment will be visible in the form of better decision-making employees who efficiently respond in the face of adversity, ultimately saving your business from data breaches, damage to reputation and potentially expensive lawsuits. The following statistics highlight why you must deploy regular security awareness training and consider it a necessary investment:

  1. Eighty per cent of organizations experience at least one compromised account threat per month.
  2. Sixty-seven per cent of data breaches result from human error, credential theft or social attack.
  3. Since the start of the COVID-19 pandemic, phishing attacks have gone up by 67 per cent.

Expecting your employees to train themselves on detecting and responding to cyber threats certainly isn’t the best way to deal with an ever-evolving threat landscape. You must take on the responsibility of providing regular training to your employees to ensure you adequately prepare them to identify and ward off potential cyberattacks.

Every employee must realize that even a minor mistake can snowball into a terrible security disaster for the company. They need to understand that your business’ cybersecurity is also their responsibility.

Read: The Human Factor behind Compromised Passwords

You can transform your business’ biggest cybersecurity risk – your employees – into its prime defence against threats by developing a security culture that emphasizes adequate and regular security awareness training. 

Making all this happen will require continued effort and may seem like an uphill climb, but with the right partner by your side, you can easily integrate security awareness training into your business’ cybersecurity strategy.

Here at Spector, aside from different training programmes, we also keep your employees aware by sending fake phishing email regularly and verifying who is falling for potential baits. This acts as a reminder for people to stay alert. 

The first step towards training and empowering your employees starts with an email or a call to us. Feel free to get in touch or schedule your preferred time, and one of our experts will give you a ring to discuss any questions and problems you may have. 

Thanks for reading! Follow us on Social Media for more exclusive content.
 

Recommended Best Practices for a Secure Supply Chain

Supply Chain Security best practices
Photo by Reproductive Health Supplies Coalition on Unsplash

Reading Time: 4 Minutes
Your business’ cybersecurity posture must prioritize detection, evaluation and mitigation of risks posed by your supply chain. It is vital that your security is upgraded regularly to better prepare for any worst-case scenarios.

Having said that, it should come as no surprise that a vulnerable third party who deals with your organization can weaken your supply chain as well. Although controlling a third party’s cybersecurity can be challenging, it must be taken seriously since a security compromise at their end could put your business at risk.

How to Effectively Manage Supply Chain Risks? Find out with this related article.

Always remember that no matter how secure you think you are, dealing with an unsecured vendor can severely damage your business’ reputation and financial position.

Recommended Security Practices

Prevention is always better than cure, especially when you are managing data, systems, software and networks. By proactively adopting best practices, it is certainly possible to enhance your supply chain’s security. For more info on Cyber Security, we have several articles available here. Some of these practices include: 

Security Awareness Training 

You must educate all employees about how even a minor mistake on their part could severely compromise security. Since employees are usually the first line of defence against cyberattacks, it is important that they are given adequate training to identify and avoid any potential threats. 

Drafting and implementing an effective security awareness training program should not be a one-time affair. It should take place at regular intervals to ensure all stakeholders are on the same page. Top-level executives must be trained just as juniors and trainees.

Two more articles highlighting the importance of cyber security training: Invoice Fraud and CEO/CFO Fraud.

Data Classification 

Data classification enables you to identify data, segment it according to its worth and assign security to each type of data. The bottom line is that if you do not know your data thoroughly — especially the data that rests in your supply chain — you will struggle immensely at securing it.

Access Control

Enabling an access control gateway lets only verified users access your business data, including users that are part of your supply chain. With robust authentication and authorization protocols in place, you can minimize the chances of sensitive data getting compromised. 

While authentication verifies whether the user is who they claim to be, authorization verifies whether a user has access to a particular type of data. Hence, both hold equal importance when implementing a robust access control strategy.

Monitoring 

Given the invasive and inevitable nature of security threats, a brisk reaction time is fundamental to the effectiveness of your supply chain security. Hence, automated and consistent monitoring is vital for quick detection and response to an attack. 

You must gather and dissect relevant data to recognize suspicious activity or dubious system changes within your organization. For example, it’s not normal for a user to modify hundreds of files within a split second – that’s more like virus behaviour. Knowing this, you can pre-define acceptable behaviour on the monitoring system, and if breached, the system will trigger an alert.

Endpoint Protection 

Endpoint protection ensures that end-user gadgets are protected against nefarious cybercriminals. Any gadget connected to the network could be used to open a backdoor to your files. Cybercriminals are getting more adept at identifying the most vulnerable point within your network. 

In most cases, it turns out to be an end-user device on your network or even devices on your third-party partner’s network. Therefore, securing endpoints is crucial to reinforcing the security of your business and your supply chain.

Patch Management

Security gaps left wide open due to inept patch management can leave your business vulnerable to cyberattacks. Whenever a new patch gets delivered, it is essential you deploy it immediately. Failing to do so could give cybercriminals a clear passage to circumvent your defences. 

Routine Scanning

Routine vulnerability scanning is a coordinated process to test, recognize, examine and reveal potential security threats (internal and external). Automating these scans so they are conducted accurately and regularly without investing a lot of time and effort will work wonders. 

Network Segmentation

Once you dissect your business’ network or segment it into smaller units, you can control the movement of data between segments and secure each part from one another. Moreover, automating the process can help you smartly restrict suspicious entities (both internal and external) from gaining access to vital information or data.

Managed Detection and Response

MDR is an economically feasible service that helps you with in-depth threat detection and response. Threat hunting, which is part of this service, helps you with deep research and analysis of vulnerabilities, thus allowing you to deal strategically with cyber threats.

Adopt These Best Practices Before It’s Too Late 

When it comes to supply chain security, the best practices mentioned above are just the tip of the iceberg of what you should do to avoid security incidents. Enlisting the help of a Managed Services Provider can help you stay ahead of the curve since they have the experience and expertise to shore up your business’ security.

We got another article with more insight and advice to secure your supply chain, available here: How to Effectively Manage Supply Chain Risk?

Most of these processes can be done automatically and following the best-known practices by an IT Support Provider. Our suite of cyber security tools is constantly evolving, and our specialists are always on par with the latest threats and methods used by perpetrators. If you’re looking for true peace of mind, talk to us, and we’ll be happy to provide more detail on how we do things.

For more information on Cyber Security, check our dedicated Blog section or our service pages.

Recommended reads on Cyber Security:

What is Identity Theft and how to Avoid it?
Stopping Ransomware – The Complete Guide

8 Steps to Secure Remote Working for the Covid 19 Lockdown

Securing Remote Work for Covid Lockdown
Photo by DocuSign on Unsplash

Reading Time: 5 Minutes
Last month we had our first (and hopefully last) anniversary of the Covid 19 pandemic. For this occasion, we reviewed an article from last year – a practical guide to secure remote working in your business.

When the first lockdown hit, many companies scrambled for remote working solutions. In that rush, some cyber security considerations may have fallen to the wayside. As the third lockdown lingers on, securing your remote workforce is a must, as working from home is the new normal. We have outlined 8 key security steps for secure remote working that apply to all companies, regardless of size.

1. Establish what is covered with your IT Support Provider

Both the requirements and coverage agreements tend to be different when working remotely. Protecting people’s personal devices in their home networks demands more attention than in a controlled environment such as the office. Your IT provider may or may not cover the usage of non-commercial home devices or PCs to access your company’s IT resources remotely. You need to know what is covered and if they are incorporating home working.

It is considerably better to allow them to manage your home workers with their centralised management tools than to do it solo. Ask the question. At this stage, a good IT Support Provider will have managing a remote workforce down to a science.

2. Provide Malware Protection for Your Remote users

While you may have centralised malware protection and monitoring of all the workstations at your physical office, you likely do not have the same level of control for home computers. If possible, we recommend that you ask your IT provider to extend their Malware protection and remote management solutions to your home office users. 

If that is not an option (and it should be), Webroot offers multi-device packages for a reasonable cost, covering both PC and Mac environments. Macs should not be exempt from using endpoint protection software. One in ten Mac users has been attacked by the Shlayer Trojan.

Set a policy that all home employees must use an antivirus tool on the machines that access the firm’s resources. Moreover, have your IT support provider verify this before you install your secure remote access tools.

3. Make sure remote working does not introduce more risk

You may have had to suddenly set up remote access servers, Windows 10 virtual desktops or other remote access solutions. Whatever you chose, make it consistent across your organisation, as it makes it simpler to manage and roll back at a later stage. In particular, do not blindly open remote access ports without thinking of the risks and consequences. 

Remember that ransomware attackers look and scan for open RDP servers, targeting anything responding on port 3389. This means any open doors are considered critical security concerns that could compromise your business. For RDP servers, you need a VPN solution, period.

4. Reinforce Cyber Security Education and Make Staff Aware of Covid-19 Scams

The Irish Times have reported a huge increase in COVID-19 scams that are circulating. Urge your users to not click on unsolicited emails and to use only official websites. The same principles used to identify Phishing emails apply here, and you can find more about them in our article How to Identify a Suspicious Email.

Ensure that the firm has a way of centrally communicating incidents so that you can trace all official communications and notifications to act accordingly. Additionally, a Mailbox filtering tool also helps reduce the number of fraudulent emails your employees will receive every day.

Agreeing on security policies to secure remote working
Photo by DocuSign on Unsplash

5. Update security and Acceptable usage policies for staff

Make sure your acceptable computer use policies cover staffs’ home computer assets. If this wording is not already there, you’ll need to quickly get up to speed to allow employee’s individual assets to be used for remote access. Policies should also cover remote working protocols, and payment processes need to be reviewed to avoid becoming a victim of payment scams.

Click here to learn more about the Invoice Fraud and the CEO/CFO Fraud to understand the importance of payment protocols.

Some of the biggest frauds in cyber could have been avoided if proper payment processes were in place. A simple confirmation phone call before a requested fund transfer is enough to confirm the identity of whoever is getting the money.

6. Review what software remote employees need

There are two considerations here. Your staff may need to access productivity applications that can only be run from inside your network. In this case, a remote connection to a Remote Desktop server or their PC may be best.

For users that use Microsoft 365 and cloud-based apps, you may only need to provide Microsoft 365 applications. For this, you will need to consider your licence requirements. A Microsoft 365 license allows you to install the Office suite on PCs, Macs, tablets, and smartphones, equal to the number of users you acquire. Those with Volume licenses can allow Office for home use purchases for your employees. You may need to review your options and licensing alternatives based on what platform and version of Office you are currently licensed for.

Which Microsoft 365 Package is Best for your business?

If you are in doubt, reach out to your IT support provider; they may be able to provide temporary licenses with screen connection software that they already use to remotely manage your network.

7. Implement Multi-Factor Authentication (MFA)

When implementing secure remote working, consider adding MFA to remote access solutions. This adds an extra layer of security to your users; and makes it much harder for a cybercriminal to steal someone’s identity. We have a One-Page Guide on Multi-Factor Authentication and Single Sign-On, where we explain how they work and why they’re so important.

Ask your IT support provider about adding MFA solutions such as DUO or Microsoft’s native Multifactor Authentication solution to access your IT infrastructure both in the office and the cloud. 

While your company may need to move quickly to allow your staff to work remotely, you can still ensure that only those admins and users are allowed in mitigating the threat of identity theft.

8. Secure connectivity with a virtual private network (VPN)

A VPN will hide your identity and online activity when browsing. It can also be used to ensure company files are only accessible from whoever is in the organisation.

Most Unified Threat Management Firewalls (SonicwallFortinetSophos) include an inbuilt free SSL VPN client that can be deployed to provide secure end-to-end connectivity for your end-users. Ensure that your Firewall and VPN solutions are up to date as this reduces the possibility of security vulnerabilities.

Prepare for the future of secure remote working

One year and three lockdowns in, remote working isn’t going anywhere, that’s the reality. It is important to define how you work remotely, review improvements and then secure your remote workforce properly. As always, the CIS provide excellent guidance with their CIS Telework and Small Office Network Security Guide. Review that to see if there are any other security issues you should be monitoring.

Next Steps to ensure Secure Remote Working

1. If you’re looking for an IT support provider with experience providing a secure remote working environment, get in touch here, or give us a call on 01 6644190 to talk with one of our experts.

2. Discover more about how MS Teams helps remote workers with both communications and collaboration.

3. Review our Remote Working solutions to ensure optimal protection for your businesses.

When to use Windows Virtual Desktops

Windows Virtual Desktops
Photo by JESHOOTS.COM on Unsplash

Reading Time: 4 Minutes
Since its release in September 2019, Windows Virtual Desktop (WVD) has gained traction across multiple organisations, mainly those looking to provide a better user experience for their employees, have the latest security and feature updates, and reduce costs across their IT environment.

Especially since the first wave of lockdowns in March 2020, Windows Virtual Desktop has become a solution that organisations started looking at for their company’s needs as most of the global workforce had to work from home suddenly. 

When Do You Require a Windows Virtual Desktop

This is a question that we field regularly with users of Microsoft 365 Business solutions. It all comes down to applications! The desktop applications a customer may want to access may not just be Microsoft Office Suite applications. Commonly there are applications such as Accounting, ERP, Development and bespoke client-based solutions that you cannot deliver to your end-users using traditional Microsoft 365 Business solutions.

In a conventional network, these would reside on servers and desktops in your organisation. If your users use Microsoft applications and services – consider Microsoft Office 365 Business Premium. This will satisfy the end-user requirement and provide the flexibility required to work from any location.

For such requirements, there is Windows Virtual Desktops.

So what is WVD? How can you implement it? Will it work for your organisation? What other services does it need for it to work efficiently? Let’s dive in and answer these questions one by one.

What is Microsoft’s Windows Virtual Desktop?

According to Microsoft, “Windows Virtual Desktop is a desktop and app virtualisation service that runs on the cloud.” The cloud Microsoft is talking about is Azure, and running WVD on Azure gives the following benefits:

  1. A scalable multi-session Windows 10 (full) deployment
  2. A replacement for cumbersome Remote Desktop Services (RDS) servers and application publishing.
  3. Accessibility from any location with a full Windows 10 user experience.
  4. A greater degree of security and end-user controls.
  5. Rapid deployment and scalability, allowing BYOD policies.

Learn more about what it takes to migrate your business to the Azure Cloud with our 101 Guide.

How Does Windows Virtual Desktop Benefit Your Organisation

Productivity

One of the main benefits of Windows Virtual Desktop is that a user can access their desktop from anywhere they have internet access, using their company-issued device, a shared work computer, or their own device. So an employee who finds themselves stuck in a remote location would be able to remotely access their same desktop experience with all its functionality and personalisation.

Cost Reductions of Windows Virtual Desktops

By using WVD, an enterprise can realise cost savings in several ways. First, hosting on Azure significantly reduces the infrastructure needed, mainly servers and the rooms to house them in. Also, with employees working from anywhere, the amount of office space required is less, especially when shared workspaces, like WeWork and Regus, are available.

Lower Support Costs

Labour savings will also be significant since you won’t need as many full-time employees to maintain a vast infrastructure. Again, a part of labour savings will come from needing less help desk support staff. This is because desktops are created virtually with the latest versions, so there are no issues with installation or older versions. They are also simpler to lock down and enforce endpoint policies that lower the attack surface for hackers.

Fewer Hardware Costs – Supporting BYOD

For companies that will allow employees to bring their own device (BYOD), the budget for new devices can be reduced since they rely on their devices.

Scalability and Security

A company that wants to scale quickly can do so with Windows Virtual Desktop. The alternative is also valid. If your company goes through busy periods and requires additional staff, you only pay for the use of those desktops as and when they are needed. This is particularly useful for Arts organisations and productions companies where contractors will use their own devices (BYOD).

Since the desktop on WVD will always be up to date, it will have the latest security features Microsoft offers. Traditionally, a larger company would defer security updates or take time to fully roll them out, leaving users vulnerable for attack.

IT Support Dublin

Issues With Moving To Windows Virtual Desktop

Before you can fully move your organisation onto WVD, you need to either migrate your traditional apps to cloud-based alternatives or have all of your apps in a digital format with a proper signature. This requires taking all of your EXEs and MSIs and converting them into MSIXs. Microsoft has provided tooling to do this manually, but Spector can assist with that process.

Mobile Users without Internet Access

It may seem rare, but it does happen. If your users are in an area with no internet or a slow/unstable connection, they will not be able to access their desktop and the apps they need. It is important to profile your user base in advance.

Peripherals

You will also need to address the topic of peripheral technologies that standard desktops have access to. For Example:

Printing – this can be resolved by using IP printers.

Scanning – as with printing, scanners can be set to send jobs to email or file locations.

Speakers, microphones, and webcams – this is more challenging. Even with the Windows 10 Enhanced Media pack, we recommend that all MS Teams conferencing and telephony take place outside of a Windows Virtual Desktop. We tend to deploy conferencing and telephony apps on the local desktop or device as the end-user experience is way better.

Hardware license keys and other USB devices – you will need to research this, as it is dependent on the device and licencing.

Conclusion

As working from home and BYOD become the new norm, Windows Virtual Desktop will deliver a consistent and secure working environment for your staff. For more information or a demonstration of Windows Virtual Desktop, please feel free to contact us.

Our team will be happy to demonstrate how everything works and guide you through the usability process in a free Discovery Call. Your business could benefit from this and many other technological advancements while still saving costs.

For more tips and information about Cloud and Remote Working, check our dedicated Blog section with several articles about the topic. We’ve helped thousands of customers move to remote working after the Covid 19 pandemic and would be happy to assist your business.

Thank you for reading! Follow us on Social Media for more exclusive content.
 

Cloud Migration: A Guide to Microsoft Azure and Microsoft 365

Cloud Migration A Guide to Microsoft 365 and Azure Migrations

Organisations belonging to all verticals and sizes are beginning to reap the rewards of Digital Transformation programmes to challenge the status quo and deliver new ways of doing business. At the core of our practice, we help clients realise these benefits by adopting cloud-based technologies. This guide aims to look at how to leverage the benefits of the Microsoft 365 and Azure platforms.

We will share our experience of migrating on-premise technologies to their cloud-based counterparts. Along the way, we will review the most common approaches to extend and migrate critical components of your IT infrastructure, such as Active Directory, shared files, line-of-business servers, desktops, and applications.

We aim to help you develop a more comprehensive plan and deliver successful cloud migration projects that produce meaningful long-term business outcomes. Use the index below to skip to your preferred section or download our PDF guide to lead your decisions.

Download this Guide Button

What are you Planning to Migrate to the Cloud?

Let us start with the most fundamental of questions. What components of your current or planned IT infrastructure are you planning to migrate to the cloud? It is more and more common for us to work with companies that are 100% living in the cloud. Most of them use the Microsoft 365 Platform for productivity applications, among other solutions for project management, accounting, and collaboration.

Still confused about the Cloud? Learn all the important details with this article.

In the rush to get teams operational during the first wave of Covid 19 lockdowns, many companies grabbed the first and best-known technology available. We are now assisting companies in reengineering this approach to ensure better security by consolidating as many of these functions in as few platforms as possible.

Common Business Technologies

Email and Collaboration – We recommend reviewing and consolidating as many functions under one provider as possible. The Microsoft 365 Business or Enterprise packages are a great place to start and provide Email, Collaboration, Enterprise File Share, Chat, Telephony and more. The goal is to maximise each part of your investment and ask if there are better ways of achieving what you are currently doing today. For more information on the right Microsoft 365 package for your business, see our related blog on MS Business and MS Enterprise.

Files (i.e., company shares) – The main shared files belong in the cloud and can be accommodated through your Microsoft 365 SharePoint functionality. This works fine unless you have specific high-performance file server requirements that may be required to house shared accounting solutions (i.e., QuickBooks, Sage) or required by 3D modelling tools such as Revit. For that, you may need to consider a dedicated file server or Azure Files, which will better suit the purpose.

Active Directory – AD should be in the cloud. Managing user identity and access rights is critical as you migrate your technologies to the cloud. We also recommend that Microsoft 365 End users also explore the benefits of a cloud-based AD. It provides more granular policy management that is useful in terms of broader security policy management. AD may exist totally in the cloud or live in a Hybrid model where AD information is synchronised between internal and cloud-based servers.

Databases (i.e., SQL Server) – The cloud is the ideal platform for databases too. Not only are licensing costs typically lower, but the ability to scale out to increase performance and protect critical data (with backups and replication) are imperative considerations. This flexibility is particularly useful when testing Proof of Concept deployments or when your company may need to scale up services for a short time.

IT Support Ireland

Business Specific Applications (i.e., ERP, MRP, CRM) – Business applications tend to come in two flavours. First, we have web-based applications. These move very quickly to a cloud infrastructure as they are essentially cloud-ready by design. The supporting technologies supporting database, web interface and file management as relatively simple to migrate.

For traditional applications that require a client-side installer (an application installed on a desktop), the migration can be more complex. It comes down to how efficient the application works between the client and the server (i.e., if they are in separate locations). By design, these applications are meant to be on the same network, reducing latency and providing better performance. If there is a significant end-user performance hit by moving these business applications to the cloud, you may need to rethink the migration process. Possibly move your users to a Windows Virtual Desktop solution or Application publishing solution that is also cloud-based.

Desktops – For organisations that rely solely on cloud-based applications, i.e., Microsoft 365, XeroParolla and such, having a virtual Windows desktop in the cloud may not provide much value. However, organisations with:

  1. Client/server applications,
  2. BYOD programmes, 
  3. Compliance requirements,
  4. Requirement to scale users rapidly,

A Windows Virtual desktop ticks all the boxes and provides better performance associated with traditional LAN based speeds and controls.

Site-Specific Hardware (i.e., printers, scanners, warehousing and manufacturing controllers, POS systems) – These elements are attached physically to a location and cannot be migrated. 

Security – this is a vast topic, and to make it simpler, you need to consider where your users, data, applications, etc., live. You need to identify how each of these components integrates and communicates with other components and implements security controls and technologies to address risks. This generally involves multiple layers such as Email protection, end-user training, Malware and Ransomware solutions, Identity management solutions and firewalls.

Backups and Disaster Recovery – Cloud is perfect for backup and DR. The cloud provides an ideal target for your backup data/images as storage space is inexpensive, it is physically remote from the original copy, and there is plenty of redundancy built-in. It can also provide a full recovery location for disaster recovery or failover in the case of a disaster. 

We find that a detailed asset and risk register help focus the mind in planning your cloud migration. It allows you to look at your IT assets today, how they are protected and serve the end-user base. It also allows you to paint the future and what benefits a cloud migration will bring, addressing security considerations as you go. 

Learn more about how to build your risk register with our detailed article and find the best ways to manage technology risk.

What is clear from our list above is that most IT assets can be migrated to the cloud. That answers the “What can we migrate?” question. In terms of a wider strategy, the next question is one of timing and phasing your migration.

Cloud
Photo by Arteum.ro on Unsplash

Pure Cloud vs Hybrid Cloud

This question has already been answered for the smaller businesses with no on-premises IT services and infrastructure – you are already 100% cloud-based. For more complex companies with a mix of on-site servers and cloud services such as email and DR, you will need to consider how migration will be performed.

A Question of Timing – Cutover or Phased migration

Should you perform a cutover migration (where users are accessing an on-premises environment one day and are accessing the cloud the next) or migrate your users into groups or phases?

There is no single right answer that accommodates all client requirements. It boils down to their IT components and applications, staff and IT providers’ capabilities and risk. Let us consider an outcome where we will move all components that can be moved to the cloud. 

The “When” question deals with the process of moving the selected IT components to the cloud.

There are two primary ways to perform the migration:

Cutover Migration

A Cutover migration is a one-time event with lots of planning and preparation in advance and then a burst of activity immediately after the go-live. After some time, the activity level subsides as users get used to their new cloud environment and start appreciating the benefits. Cutover migrations are typically best for simple, small settings where it makes sense to do everything at once. It is challenging to do a cutover migration of a large and complex IT environment due to the risk of missing critical components, which means that the risk of user disruption is also high. On the other hand, cutover migrations can be very quick and completed within weeks or even days.

Download this Guide Button

Cutover Scenario

In a cutover scenario, the cloud environment is set up independently as a proof-of-concept replica of the existing on-premises environment. All servers are installed in the cloud and data migrated. All user virtual desktops are prepared with their required profiles, settings and applications. 

A Proof-of-Concept test user group is then selected to log into this newly created environment to confirm that all applications and services are working as expected. Once fully tested and signed off a “go-live” date is scheduled. 

Users are then steered to the new cloud setup as their new working environment. It is wise also to leave the original infrastructure in place for a short time in case any specific settings, files or certs have been missed. Assuming all goes well, the old environment is decommissioned in the coming weeks. This results in the customer having switched from an on-premises system to a cloud-based one in a cutover fashion.

Phased migration 

A phased migration is a journey. It breaks the migration process down into small, manageable steps that are executed in sequence with the opportunity to have users validate the environment in production every step of the way. Phase-in migrations can take a long time to complete. It is not unusual to see these last for months or even years. However, this is a safer approach to migrating large and complex environments. For small, simple environments, phased migrations are typically more work-intensive and disruptive than necessary.

Phased Scenario

In this scenario, the cloud environment is preconfigured with select IT components and one or more workstream are moved to Azure. Users continue using both the existing on-premises systems and the new cloud-based one simultaneously for an extended period. 

The on-premises environment is likely extended to the cloud using a VPN and Hybrid AD. This extends both the network and the user access controls to the cloud-based applications or servers that are being migrated. Over time, additional workloads like file shares, databases, and virtual desktops can be moved one at a time from on-premises to Azure until all the desired IT components have been migrated.

Before an Azure migration, make a list of which IT components will be migrated to the cloud and which will stay local. Consider the migration approach that fits best – Cutover or Phase-In – and discuss it with your IT team and Managed Service Provider. Will you opt to get it done quickly, or will you want to take your time and test everything thoroughly? Be careful not to overcomplicate matters. We have seen simple file share migrations drag on for months! Equally, make sure that your testing is complete and reinsure you are testing accordingly. Planning is critical here.

A Typical Spector Azure Deployment

Each of our Azure Migrations starts with a proof-of-concept stage. One that has no impact on your current environment but can be connected to the live environment for final migration once the POC is complete.

Moving is easy
Photo by HiveBoxx on Unsplash

Connecting your POC Into an Existing IT Environment

There are three top-level steps involved in plugging a new Azure deployment into an existing IT environment.

Extend the network  this is typically accomplished by setting up a site-to-site VPN between your Core office location(s) and the Azure environment. 

Extend Active Directory – Making the same Active Directory Domain Services available in Azure allows you to manage user objects and assign virtual desktops without any changes to the existing environment. Once the AD is extended from the current environment to Azure, it spans both locations and allows seamless movement of servers from one to the other.

Move Server and Desktop workloads – Once network connectivity is established and Active Directory is extended into Azure, servers and data can be moved from the existing environment to Azure. We tend to use Azure Site Recovery (ASR), another VM replication technology, or the Azure Resource Move process.

The result of the three steps above is a Spector managed Azure environment with connectivity to an existing IT environment, AD visibility, and the ability to move VMs from one environment to the other without the need to re-join the domain or reconfigure the operating system.

Once the migration has been performed, you may also consider a reengineering of your cloud solution to better tailor it to its new home or seek alternatives that better suit your digital transformation goals.

Sample Scenarios – Outcomes and Key Steps for Successful Cloud Migrations

In this section, we will look at two cloud migration scenarios of varying complexity and examine the steps in that migration and the outcomes, skill sets, and time scales to achieve them.

Scenario 1

25 user Accountancy Practice using traditional desktop-based applications such as TAS books, Sage Line 50 Accounts, Various Payroll applications.

Current Situation

The company is based in two geographic locations with staff performing a range of financial services including accounts production, tax planning, pension planning and payroll services. Staff work between the office, home and audit locations using laptops. Each site has a centralised server. There are two separate domains, as the second site was a result of M&A.

Current Issues

 All applications are traditional desktop or client/server applications that require constant and disruptive updating.
• Adding new staff is laborious and time-consuming.
• Client files are transferred to laptops for offline working.
• With restricted travel, it takes time and effort to gather all the data required.
• Staff find remote working challenging with VPN and password reset issues.
• Operations are only 80% as productive as their pre-Covid 19 levels.
• Staff cannot easily share and work from both locations as their business data is located on different systems.
• Communications are challenging, with most staff reverting to mobile phone usage. Clients complain that they cannot get through to their main point of contact.

Goals

The ability to communicate and collaborate in real time with both clients and other staff members across both offices.
 Easily gain access to files – both online and offline – from any location on any device.
• Migrate accounting clients to a new centralised cloud-based platform that cuts out all the file transfers.
• Deliver a consistent desktop experience for all users that is quickly scalable and accessible from any location.
• Improve efficiency and focus on consultative rather than transactional relationship with clients. – Drive centralised reporting and KPIs.
• Reduce IT headaches and management costs.
• Improve security and compliance and enter a long term improvement programme.

Cloud Migration Plan 

1- Upgrade all users to Microsoft 365 Business Premium.
2- Set up a new Azure AD environment – the old AD was an inherited mess.
3- Extend the network from both locations to Azure using site to site VPN.
4- Migrate file server to SharePoint Online, allowing users to collaborate and share data with each other and clients.
5- Set up Windows Virtual Desktops for users of Client-Server apps.
6- Perform a fresh install of Accounts Production Virtual Server.
7- Migrate data sets from client-server applications to new Azure-based Virtual servers.
8- Set up backup and Site recovery for DR.
9- End-user testing and go live.
10- Setup Microsoft Teams for Chat, Collaboration and Telephony – replacing several legacy systems.
11- Rollout security policies via Intune and Advanced Threat Protection.
12- Set up data retention and compliance policies.
13- Traditional desktop-based accounts (Sage, Tas, etc.) migrated to Xero & AccountsIQ. Parolla for payroll, depending on client requirement. All with detailed KPI plugins allowing for more consultative practice management.

Outcomes

The primary outcomes come from consistency and efficiency. The consistent end-user experience and modern look and feel make it simpler to train and onboard staff. The client also reports better communications and access to the team with better reporting outcomes.

There has been a 20% increase in pre-Covid efficiency as there are less blockers and time wasted in communications and technical difficulties.

Customer Scenarios Applied Technology
Photo by Science in HD on Unsplash

Scenario 2

Manufacturing and Distribution Company both producing and distributing goods to several European markets. Offices in 3 countries. 130 staff. Manufacturing and storage warehouse. AD, File & Print, ERP, Web Orders, CRM, TMS, Exchange Server, ERP – all Server-based. Ageing SAN and infrastructure. Traditional PRI based PBX. Forty reps on the road. Fifteen expert engineers, balance office-based.

Current Situation

The investment in technology has been slow over the past several years. There has been a strong emphasis on security – so much so that all technology is located on-site. There is now a desire to migrate technologies to a cloud-first strategy where possible. There is a strong desire to allow for greater working agility and flexibility as offices are downsized in favour of smaller hot desk sites with flexible meeting rooms.

Current Issues

• There is no defined IT and cloud-based migration strategy.
• Technology management – support and applications are costly, with multiple 3rd party relationships that are difficult to manage and coordinate together.
• 
Traditional applications have slowed down the adoption of new agile technologies.
• 
There is a widespread use of shadow IT and security concerns as staff try to work around the technology limitations.
• 
A traditional UC solution is expensive and needs complete and costly replacement.
• 
There is a need for a rethink and rewiring of all security technologies.

Goals

 The first goal is to develop a strategy and simplify the IT supporting all business functions.
Move obvious workloads to the cloud – File, AD, Email, Comms and Collaboration.
Review core ERP and CRM solutions to see if the cloud migration path is open or seek alternatives.
 Upgrade existing hardware – where necessary.
• Complete cyber security review using the NIST Cyber Security Framework and Enterprise Grade security solutions to protect all company, people, and data assets during the migration process.
• Review and enhance Disaster Recovery solution.

Migration Plan 

1- Develop Strategic IT Review and Roadmap for:

  1. Applications – End-User
  2. Comms & Collaboration
  3. Applications – Enterprise
  4. Infrastructure
  5. Cyber Security
  6. Business Continuity

2- Establish Microsoft 365 Tenancy with E5 Licence – this delivered a consistent application experience for all. In the process, we migrated all telephony, IM, conferencing, and communications through Microsoft Teams saving 20k in annual charges per annum.
3- Full email migration to the cloud with full security capabilities such as MFA, Legal Hold, Data Retention and Mobile management capabilities.
4- New core infrastructure hardware to include core networking, security, and firewalling (Sophos solution with Synchronised security and 24/7 managed threat response).
5- Sales, Finance and Admin all working through SharePoint for file sharing and management.
6- Engineers and higher end-users using Windows Virtual Desktops with Azure High-Performance File Shares to support Revit and “chatty application” workloads.
7- Migration of core servers for ERP, CRM, AD Devops to Azure-based Virtual Machines.
8- Extension of local networks to Azure using IPSEC VPNs.
9- Longer term partner strategy with ERP solution to private cloud infrastructure.
10- Azure backup and Site Recovery solutions Veeam & Zerto based backup and Site Recovery solution with full tested failover for business applications.
11- Set up backup and Site recovery for DR. Fully monitored and tested.

Download this Guide Button

Outcomes

This 14-month project has reduced management costs by nearly 80k per annum. Traditional longwinded processes have been replaced with newer, more agile methods allowing staff to focus more on developing new products and go-to-market strategies. Technology is now seen as a real business enabler. Cyber Security protection is now a topic at the board table with a mature and tested platform in place – with clear lines of reporting and responsibility.

Conclusion – Assisting with the move

As you must have noticed, a proper cloud migration process tends to be very complex and has many instances where it could go wrong. To ensure your files and operations are secured in the cloud, you should find a trustworthy provider to advise and guide you over each step and who essentially watches all details for you.

If you already found that provider, use this guide to ensure nothing less than perfect is delivered. If you are still looking, be reassured we will be happy to assist you in this transition. We’ve helped businesses of many verticals and sizes in migrating to the cloud and will be able to take this heavy load from you and deliver a seamless experience to your employees and customers – light as a cloud.

Book a discovery call with one of our experts today and learn how we can transform your business with the power of technology.

Which Microsoft 365 Business Package is Right for You?

Microsoft 365 Business Package
Photo by Tadas Sar on Unsplash

Reading Time: 4 Minutes
In April 2020, Microsoft rebranded their original Office 365 packages under their new Microsoft 365 branding. In the interim, many companies are still using older packages and remain unaware of the features and functions available under the latest packages.

What about the Enterprise packages, you may ask? Enterprise packages are designed for companies with over 300 staff with specific security controls such as Legal Hold and in-depth Data Leakage protection that can only be purchased in their E5 licence. If you have more complex data security and compliance requirements, check out our blogs on the subject or feel free to reach out to one of our solutions consultants who can help you decide.

Using Only a Fraction of the Available Features

Most SME companies that we encounter are signed up to Microsoft Business Basic (think email and cloud-based version of their productivity applications) or Microsoft Business Standard (Email and Desktop Version of their productivity applications) packages. Most of them, however, are using only a limited amount of the available capabilities. 

There is a wealth of other functionality under the hood that enables more efficient remote working and security for your users, wherever they work. For our assessment here, we are comparing Microsoft Business Standard Edition to the Microsoft Business Premium Edition – as Standard is the most common package that we see in the market.

What is Microsoft 365 Business Standard?

Microsoft 365 Business Standard is a package for organisations who require Office applications across a maximum of 5 devices, with the addition of business email (50Gb), cloud file storage (1TB) and online meetings and chat via Microsoft Teams. The current price of the package is €10.50 (per user/month) with a one-month free trial.

What is Microsoft 365 Business Premium?

Microsoft 365 Business Premium includes everything that the Microsoft 365 Business Standard package offers with the additional add-ons of advanced cyber threat protection and device management, improving security for your business environment. The current price of the package is €16.90 (per user/month) with a one-month free trial. 

Functionality Comparison

Microsoft 365 Standard and Premium package comparison

Is Microsoft 365 Business Premium worth it?

Rather than labouring the point, the simple answer is resounding YES! The main reason is Advanced Threat Protection (ATP) and the additional features allowing you to easily manage devices throughout your organisation, which the Business Standard does not include. Let us take a quick look at some of these key features:

Intune

Microsoft Intune is a cloud-based service that allows you to enforce policies for mobile device management (MDM) and mobile application management (MAM). You control how your organisation’s devices are used, including mobile phones, tablets, and laptops. You can also configure specific policies to manage applications. 

For example, you can prevent emails from being sent to people outside your organisation. Intune also allows people in your organisation to use their personal devices for work. Intune helps make sure your organisation data stays protected and can isolate organisation data from private data on personal devices. As with all security-based solutions, we recommend building specific policies first and then setting up the technologies and alerting to support those policies. 

Conditional Access

As the name suggests, Conditional Access allows you to control the devices and apps connected to your email, files and Microsoft 365 apps. Conditional Access provides granular access control to keep your corporate data secure while giving users an experience that allows them to do their best work from any device and location.

There are two types of conditional access with Intune: device-based conditional access and app-based conditional access. You need to configure the related compliance policies to drive conditional access compliance at your organisation. Conditional access is commonly used to do things like allow or block access to email, control access to the network, or integrate with a Mobile Threat Defence solution.

Azure Information Protection

Enable collaboration of your emails, documents, and sensitive data internally and externally. That is done securely through a combination of encryption, restricted access, and rights to provide additional protection.

Defender

Provides Advanced Threat Protection (ATP) by offering a complete, ongoing, and up to date defence. This helps mitigate malware threats from multiple sources such as infected attachments, links, and downloads through your Microsoft 365 apps such as email, SharePoint, and MS Teams.

Learn about Microsoft 365’s Security Concerns and how they could impact your business.

Windows Virtual Desktop (WVD)

This service is an all-inclusive desktop and application virtualisation service. WVD is a Windows 10 desktop that lives on the Azure platform. It provides a complete desktop solution for remote workers and is suitable to users of business-specific desktop-based applications, i.e., Accounting solutions, ERP, MRP, CRM, etc. Using WVD also allows for a secure remote working for BYOD users

 

Our conclusion and Spector’s recommendation

Yes, there is an extra cost of just over €6 per user per month, but the security controls and capabilities that are contained in Microsoft Office Business Premium are more than worth it. There is a massive uplift in cybercrime (400% in 2020) seeking out vulnerabilities that these security controls can defend against. This re-emphasises the importance of the features above, as your business will be able to defend against threats, giving you the peace of mind that your information is being safeguarded.

How can we help?

We are a Microsoft Gold Certified Partner, which means we have the highest degree of expertise working with Microsoft technologies.

We can help you plan and migrate to the Microsoft 365 Business Premium Package with a strong focus on policy, security, and productivity. If you have any questions on the Microsoft 365 Packages or would like to know more, please get in touch, and we will be happy to help.

We’ll be letting you know when we begin our Microsoft 365 Lunch and Learn sessions, where we deep dive into the specifics of the Microsoft 365 products such as Microsoft Teams, SharePoint, and Collaboration applications. Tell us in the comments if you’d be interested in joining us!

Follow us on Social Media for more exclusive content, and as always, if you have any feedback or questions about this article, please do not hesitate to use the comment box below.

 

The Top Microsoft 365 Security Concerns 

Top Microsoft 365 Security Concerns
Photo by Clint Patterson on Unsplash

Reading Time: 3 Minutes
Microsoft does an outstanding job securing its cloud services. However, cloud users must take responsibility for configuring and managing secure access and file sharing to minimise the risk of data leakage. 

Which Microsoft 365 Business Package is right for you? Find out in this article.

Some IT Managers and most business owners might not be aware of the specific configurations within Microsoft 365 and could have open breaches for cybercriminals. In this article, we’ll be talking about some of these potential risks and how they can impact your business. Here are our top 5 security concerns.

Unauthorised or External File Sharing

Microsoft 365 enables users to collaborate with people outside of your organisation in applications like Teams and SharePoint, as well as by sharing files and folders directly. We talked about external sharing in Microsoft 365, and in particular Teams, in detail in other articles. 

Not sure if Teams is the right tool for your business? Read this article to find out.

Files that are shared outside your network are vulnerable by default. With Microsoft 365, a user can share a single file or an entire folder. This grants access to all files currently in that folder and all its subfolders, as well as any new ones created there. For a decent guide on the subject, take a look at this guide by Netwrix.

Privilege Abuse

Users often wind up with more permissions than they need to do their jobs. Excessive rights increase your risk of a data breach. For instance, users can accidentally or deliberately expose or steal more data than they should. Similarly, malicious software or hackers who take over a user’s account can access more data and systems than they normally would. 

Microsoft 365 doesn’t make it easy to restrict permissions based on business unit or country, or for remote or satellite offices. It’s also tricky to granularly grant admins rights to perform only specific functions, like resetting user passwords. 

Global Administrator Account Breaches

Security Breach
Photo by Michael Dziedzic on Unsplash

Hackers and cybercriminals often target administrative accounts in their attacks. As a result, they gain access to elevated privileges. The centralised administration model in Microsoft 365 allows all administrators to have global credentials. Meaning administrators have access to every user’s account and content. If hackers manage to take over a global admin account, they can change critical settings, steal valuable data, and leave backdoors to enter again. 

To reduce the risk of these powerful accounts being compromised, you can set up multi-factor authentication (MFA) in the Security and Compliance Center. Keep in mind that global administrator accounts do not have MFA enabled by default. 

Curious about Multi-Factor Authentication? We have a one-page guide explaining how it works.

Disabled Audit Logs

Audit recording is not enabled by default in Microsoft 365. An administrator must manually turn auditing on. Similarly, to audit email mailboxes, an administrator must turn on mailbox auditing. These are essential features both for security and compliance and should be present at all times.

Understand that the audit log shows only events that occurred after auditing was enabled. 

Short Log Retention Periods

Microsoft 365 stores audit logs for a short time. From just 90 days to a maximum of one year. For details on these settings, take a look at this link. Many compliance standards require storing audit logs for far longer than that. For example, HIPAA requires logs to be retained for six years. GDPR does not specify a retention period. However, it requires organisations to be able to investigate breaches, which can take well over a year to surface. By that time, the native audit logs are gone. 

Remediating These Risks 

At Spector, we have a full suite of tools that help us remediate these risks and ensure that your Microsoft 365 tenancy is and remains fully secure. As a Microsoft Gold Partner, our team specialises in understanding the whole suite of products available at the market. We’re keen on finding vulnerabilities, solutions and communicating them to our customers and partners.

We can use our expertise to help find vulnerabilities in your business too. Our Gap Analysis covers most business aspects that can be improved, from technology and compliance breaches to business operations and personnel training practices. For more information, please get in touch or book a call with one of our experts.

Thank you for reading! Follow us on Social Media for more exclusive content.
 

Managing Your Technology Risk

Technology Risk
Photo by Tobias Tullius on Unsplash

Estimated Reading Time: 3 Minutes
Today, no business is 100 per cent secure from cyber threats, and more companies are waking up to this reality now than ever before. It’s no wonder cybersecurity investment in 2020 is pegged to grow by 5.6 per cent to reach nearly $43.1 billion in value. With cyberattacks surging due to widespread remote work and increased online interactions during the pandemic, it seems likely that this trend will only continue to grow further.

Download your Risk Register Sample at the end of this article.

While 58 per cent of IT leaders and practitioners consider improving IT security their topmost priority, nearly 53 per cent of them find cybersecurity and data protection to be among their biggest challenges as well. That’s primarily because cybersecurity is not a one-and-done exercise. Your business might be safe now but could be unsafe the very next minute. Securing your business’ mission-critical data and customers’ data requires undeterred effort sustained over a long period of time. While there are several pieces to this puzzle, the most important one, considering today’s threat landscape, is ongoing risk management.

Through the course of this blog, you will understand the definition of a cybersecurity risk assessment and why you must undertake and monitor them regularly to keep your business’ cybersecurity posture abreast with ever-evolving cyber threats. By the end of it, we hope you realize how installing cybersecurity solutions alone isn’t enough to counter cyber attacks unless you make ongoing risk management an operational standard for your business.

Understanding Cybersecurity Risk Assessment

In rudimentary terms, a cybersecurity risk assessment refers to the act of understanding, managing, controlling and mitigating cybersecurity risks across your business’ infrastructure.

In its Cybersecurity Framework (CSF), the National Institute of Standards and Technology (NIST) states that the purpose of cybersecurity risk assessments is to “identify, estimate and prioritize risk to organizational operations, assets, individuals, other organizations and the Nation, resulting from the operation and use of information systems.”

The primary purpose of a cybersecurity risk assessment is to help key decision-makers take informed decisions to tackle prevalent and imminent risks. Ideally, an assessment must answer the following questions:

  • What are your business’ key IT assets?
  • What type of data breach would have a significant impact on your business?
  • What are the relevant threats to your company and their sources?
  • What are the internal and external security vulnerabilities?
  • What would be the impact if any of the vulnerabilities were exploited?
  • What is the probability of a vulnerability being exploited?
  • What cyberattacks or security threats could impact your business’ ability to function?

The answers to these questions will help you keep track of security risks and mitigate them before disaster strikes. Now, imagine periodically having the answers to these questions whenever you sit down to make key business decisions. If you’re wondering how it would benefit you, keep reading.

Why Make Ongoing Risk Management an Operational Standard?

Making ongoing risk management an operational standard is vital, especially in today’s cyberthreat landscape where even a single threat cannot be underestimated. In one assessment, your business might seem on the right track, but in the next one, certain factors would have changed just as the company would have changed. That’s precisely why having an ongoing risk management strategy is now an integral part of standard operations for many of your peers.

Here are seven reasons why you can’t keep this critical business decision on the backburner anymore:

Reason 1: Keeping Threats at Bay

Most importantly, an ongoing risk management strategy will help you keep threats, both prevalent and imminent, at a safe distance from your business – especially ones you usually do not monitor regularly.

Reason 2: Prevent Data Loss

Theft or loss of business-critical data can set your business back a long way, leading to the loss of business to competitors. Ongoing risk management can help you remain vigilant of any possible attempts at compromising your business data.

Reason 3: Enhanced Operational Efficiency and Reduced Workforce Frustration

As a business owner or key decision-maker of your organization, you would be amazed how consistently staying on top of potential cybersecurity threats can reduce the risk of unplanned downtime. The assurance that hard work will not vanish into thin air will surely keep your employees’ morale high, thereby reflecting positively on their productivity.

Reason 4: Reduction of Long-Term Costs

Identifying potential vulnerabilities and mitigating them in time can help you prevent or reduce security incidents, which in turn would save your business a significant amount of money and potential reputational damage.

Reason 5: One Assessment Will Set the Right Tone

You must not assume that there should only be one fixed template for all your future cybersecurity risk assessments. However, in order to update them continuously, you need to conduct one in the first place. Hence, the first few assessments will set the right tone for future assessments as part of your ongoing risk management strategy.

Reason 6: Improved Organisational Knowledge

Knowing security vulnerabilities across the business will help you keep a keen eye on important aspects that your business must improve on.

Reason 7: Avoid Regulatory Compliance Issues

By ensuring that you put up a formidable defence against cyberthreats, you will automatically avoid hassles for complying with regulatory standards such as HIPAA, GDPR, PCI DSS, etc.

Continue tackling the Risk – Download your Risk Register Sample

Photo by Blake Wisz on Unsplash

From our years of experience working with customers in highly regulated industries – Financial Services, Healthcare, semi-private organisations – we have found that the best way to handle the challenges of managing technology risk and governance is by leveraging the NIST Cyber Security Framework.

We explain how to do it in detail in our Guide to NIST. Its main focus is for Financial Services companies, but every type of business can leverage the framework to deal with risk.

Download your Risk Register Sample Here.

The Asset and Risk Register are crucial for the development of a Risk management system, but keep in mind that they are only part of that system and not the end result. Now that you are done reading this part, the next one is to Develop your Action Plan to Address Technology Risk.

To continue managing the risk consistently and continually, we have developed our own methodology to assist and guide you through every step. If you are looking for an extra level of detail and a system that will make this process much more comfortable and straightforward, Book a Call with us. We can get you to your desired state of maturity with a tested solution.

Follow us on Social Media for more exclusive content, and as always, if you have any feedback or questions about this article, please do not hesitate to use the comment box below.

 

10 Ways to Improve Online Meetings

Remote Working Video Conference Meeting
Photo by Chris Montgomery on Unsplash

Estimated Reading Time: 3 Minutes
It has been nearly 12 months since the start of the Coronavirus. In this time, we have had to adopt online meetings to collaborate with our teams and communicate with our customers. The “new normal” has been replaced with “the office is dead” and so the unhelpful predictions will continue. There are multiple challenges in successfully transferring communications to online meetings tools such as 
Microsoft Teams and Zoom.

Want to learn more about Microsoft Teams? Check our articles: Is Teams the Answer to your Remote Working Requirements? or Our Guide to the perfect Microsoft Teams Deployment

There are, however, some tips that we have gained through the use of our EOS (Enterprise Operational System) Traction Meeting disciplines that translate very well to online meetings. It all boils down to preparation and the setting of rules and expectations. Our team have multiple online meetings per week, covering both internal and client communications. We are happy to share our learnings, improvements and best practices with you here.

Here are 10 steps you can take to make your meetings shorter and more productive:

1. Test your technology ahead of time

Make sure you have the bandwidth capacity for online meetings. Nothing kills momentum at the start of a session like a 15-minute delay because people need to download software, can’t get the video to work, etc. Prior to a virtual meeting, all participants should test the technology and make sure they are comfortable with the main features.

2. Use the camera

To make people feel like they’re all at the “same” meeting, use your camera. We are continually amazed by how many people turn off their cameras in a Video meeting. In a nutshell, be present or get off the call.

3. Create and stick to a clear agenda and timeline

During the session, use an agenda, set meeting ground rules, take breaks every 45 minutes (if running into hours), and clearly outline next steps (including timing and accountabilities) after each section and at the end of the meeting.

4. Share your screen

Meetings should be discussions. Background information should be provided beforehand using a collaboration tool such as Microsoft SharePoint. If someone needs to present, use screen sharing to guide the conversation, so attendees can literally “be on the same page.” But prioritise conversation to maximize the time people are looking at each other.

Read this article by Harvard Business Review: What it Takes to Run a Great Virtual Meeting?

5. Add a personal touch

In our weekly team meetings (Level 10 Meetings in EOS Traction world), we start with some good personal and business news to share with other team members. It may sound a little over the top, but it works well to strengthen relations and get an inside view of others’ lives. With our client meetings, we always begin with some good news about our company, such as a new client or new exciting technology to share. This always starts meetings on a positive note.

6. One person guides the session

It is vital to have a meeting facilitator that can guide and time the meeting. We commonly limit the core meeting length to 30 minutes with 10 minutes set aside to kick off and summarise the discussion and next actions. The facilitator should also be able to resolve basic questions on the technology being used.

7. Ask questions and engage all people

This is no different from in-person meetings. There are always loud and dominant people in the room. The high “D” in the DISC profile or the Leading Lion types so well described by Dr Larry Little. Engage the quieter staff members through questions. You may be surprised at the insights they will bring to the meeting.

8. Take Notes and agree on Actions

Make sure to take notes on next actions with clear responsibilities and timelines. In Traction world, we call them To-Dos. To-dos are actions that will be performed within the next week or two weeks. Simple activities with binary outcomes such as done or not done are known to drive excellent accountability. In particular when you measure how many of these To-Dos actually get done!

9. Set the next meeting date before the current meeting ends

We all know that marrying calendars can be a nightmare. In the case of team meetings, set a regular meeting time that is fixed in stone. No other business gets in its way. With less frequent client meetings, we always seek to schedule our next appointment before the current one is over. This saves enormous time and hassle for both parties.

10. Score your meetings out of 10

Ask yourself is the agenda was met, whether there was clarity around next actions and how engaged people were. We call these Level 10 meetings, as they are marked out of 10. If anyone scores the meeting less than an 8 there needs to be a clear explanation as to why. While simple, this is a remarkably effective way to get honesty on the table and determine how well the meeting was run.

We hope these practical steps are useful to you. Online meetings are here to stay, so we might as well put some effort to make them as productive and pleasant as possible.

Watch out for our handy guide to online meeting technology. If you’re looking for more useful information to better enable your business for Remote Working, make sure to check our article: The Best Tips and Guides for Remote Working. Alternatively, read Our Short Guide on how to safely Implement Remote Working.

Thank you for reading! Follow us on Social Media for more exclusive content.
 

Cyber Security – Do You Know Your Digital Risk?

Security - Do you know your digital risk?
Photo by Content Pixie on Unsplash


Estimated Reading Time: 4 Minutes
Rapid technological advancement and rising global connectivity are reshaping the way the world is functioning. From higher productivity to improved customer satisfaction, technology has played a critical role in the growth of businesses worldwide. However, the consequential bad news is that technological advancements have also made organisations increasingly vulnerable to digital risks. However, this does not mean that businesses must compromise on growth and improvement for the sake of security.

The security challenges within these digital environments could be better addressed if organisations knew how to identify these risks and incorporate preventative security measures and controls, along with proactive solutions and detailed plans, to overcome their digital vulnerabilities. Let us discuss the different types of digital risks you should be looking out for and how you can use this information to get a positive ROI.

Types of Digital Risks

Digital risks are increasing in the business world due to the rapid adoption of new disruptive technologies. These risks are seen in various industries and are more pervasive than cybersecurity risks. On a broader scale, digital risks can be classified into physical, technical and administrative risks.

The following risks are the most prevalent in today’s digital world and should be treated as top priorities for your business:

  • Cybersecurity risk: Cyberattacks continue to evolve as companies become more technology-driven. Attacks like ransomware, DDoS, etc., can bring a halt to the normalcy of any business.
  • Data privacy risk: As we move forward to a knowledge-based economy, data has become the most valuable commodity in the world. This has resulted in hackers targeting critical business data and misusing them for personal gains.
  • Compliance risk: Businesses need to adhere to various regulations regarding data privacy, cybersecurity, organisational standards of practice, etc. Any violation can attract heavy fines and penalties for a business.
  • Third-party risk: When you outsource certain services to third parties, it might compromise the security of your IT infrastructure. For instance, a software tool you develop with an external vendor may introduce some vulnerabilities to your otherwise intact digital environment.
  • Resiliency risk: This concerns the ability of a business to bounce back and continue operations after an unexpected disaster.
  • Risks due to human errors: In the UK, 90 per cent of cyber data breaches were caused by human errors in 2019. Whether it’s falling for phishing scams or misusing work devices, human errors can be quite costly for organisations if they go unchecked.
  • Automation risks: While automation is reshaping the tech industry for the better, it could also give rise to a range of risks such as compatibility risks, governance risks, etc.
  • Cloud storage risks: The flexibility, ease-of-use and affordability offered by the cloud makes it one of the most popular options for backup and storage. However, the cloud is also prone to various risks such as lack of control over data, data leakage, data privacy, shared servers, etc.

Importance of a Risk Assessment in Managing Digital Risks

Secure Remote Working

The best way to start managing your digital risks is by performing comprehensive security risk assessments regularly. After all, how would you know what your current vulnerabilities or gaps are and where you biggest security challenges lie without an ‘under the skin’ examination? With a risk assessment, you can measure your security posture against various internal and digital threats and determine how equipped you are to deal with these risks. When you perform a security risk assessment you can proactively:

  • Identify vulnerabilities: A risk assessment helps you identify which part of your digital environment is relatively weak against various security threats. You can identify which systems are likely to be targeted by attackers and incorporate measures to strengthen these systems. Without the information presented by your risk assessment report, you don’t stand much chance of improving your digital security posture against various vulnerabilities.
  • Review and bolster security controls: In most cases, security incidents occur due to a lack of controls in the process. For instance, without proper cybersecurity awareness training and best practices training, employees are unlikely to follow security protocols on their own, which could result in losses due to human errors. Based on the risk assessment, you can upgrade your securities and incorporate preventive measures against various risks.
  • Track and quantify risks: To effectively manage various risks, you need to know the effect of these risks on your business. With a risk assessment, you can quantify these risks by identifying the potential losses posed by various threats. This helps you incorporate necessary risk mitigation strategies to prevent your exposure to various risks.

To begin understanding these risks, there are several steps a business owner or risk manager can take. We have more detail on this topic in the following article: Building your Asset and Risk Register.

The Value of Risk Assessment

IT and security budgets are often difficult to explain to management. Everyone understands the consequences of not investing in correct security measures. However, it isn’t that easy or simple to put an exact ROI figure on security investments. The value of risk assessment is based on how you choose to act with the information you get from these reports.

After understanding these risks, you should have enough knowledge to begin prioritising and addressing them based on the impact and urgency of each risk. This process will result in the creation of an Action Plan, which if properly executed will minimise most organisational risks. Some organisations are able to conduct this process effectively by themselves, while others fail to do so.

In this scenario, the real question is – what is the cost of not making this investment?

Security devices and tools
Photo by Pop & Zebra on Unsplash

Let us consider a major data breach for example. It is always about what you stand to lose in the aftermath of a breach. If your business is dealing with valuable customer data, a data breach can result in unrecoverable financial losses as well as reputational damage. Moreover, this might also result in regulatory non-compliance and attract heavy penalties from various regulators. In such cases, reviving a business after a major disaster can be almost impossible.

Here, the cost of investment in security solutions and cyber insurance is negligible since it concerns the survival of the business. You may not be able to measure the exact ROI of the airbags in your car but that does not mean that your survival is not dependent on them. Similarly, the information and insights gained from routine risk analysis are critical to the operation, resilience posture and long-term success of your business.

A thorough analysis can bring you essential insight and indicate the next steps for your organisation. Should you be looking for professional help to identify and address your digital risks, we recommend starting with the Gap Analysis. This process goes beyond a conventional IT Audit, where your company’s cyber security structure is scanned to identify any potential breaches. The main difference here is that we’ll also look into your policies, processes and people to understand where your business is and where you want it to be.

After identifying the Gap, we’ll begin to close it and improve your business’ cyber security structure. To learn more about this process, download our brochure and feel free to get in touch.

Data Sources:

What is Ransomware and How to Avoid it – The Complete Guide

Ransomware How Does it work and how to avoid it - The complete guide

Introduction to this Guide

We hope with this guide to provide you useful information to protect your business against Ransomware. It is today one of the most dangerous methods of cybercrime for businesses that rely on technology. Luckily, with a robust cyber security strategy it can be avoided and its damage reduced to a minimum.

Our Guide covers all that a business owner or director must know about Ransomware. Click on the links below to skip straight to where you want to go. We hope you enjoy your reading.

Should you also prefer to download the entire guide as a PDF, simply click the button below.

Download this Guide Button

Attitudes to Ransomware

A successful ransomware attack can be devastating to a business. Organisations caught unprepared could be left with the choice between paying a ransom demand and writing off the stolen data entirely.

In our day-to-day cyber security practice, we perform a lot of assessments with new and potential clients. Among this wide variety of professional companies, we find very differing understanding of the threat Ransomware poses to their businesses. 

There are the unknowledgeable optimists that believe to will never happen to them. Clearly this is not a recommended stance. 

There are also the informed optimists that believe they have all angles of protection covered. That may or may not be the case. Assumptions can be dangerous.

Finally there are the affected pessimists – have suffered from a Ransomware attack and for whom it may be too late. We receive calls from complete strangers asking how they deal with a Ransomware hit. We always ask the same two questions – do you have a backup and do you carry Cyber Liability Insurance. The silence at the end of the phone can be deafening.

Whichever camp that you belong to it is important to become informed and engage with preventative measures and plan for the worst outcomes so your business can continue to thrive after such an attack. 

The purpose of this guide is to provide that information and to provide some of the measures required to both prepare and recover if your business is impacted by a ransomware attack.

What is Ransomware and How does it work?  

Ransomware is multibillion euro criminal enterprise executed by Cyber Criminals to disrupt access to your systems, business, and personal information. It is a form of malware that encrypts a victim’s files. The attacker then demands a ransom from the victim to restore access to the data upon payment. 

Once infected the attacker then demand a ransom (normally in Bitcoin) to liberate access to your data and critical business systems. Worryingly this activity is on the rise at an exponential rate. Research suggests that in 2020 a new organisation will be hit by a ransomware attack every 14 seconds and that Ransomware incidence increased 50% in Q3 in 2020 alone. Adding insult to injury, the Cyber Criminals are leveraging the current Covid crisis to target vulnerable remote workers and infect vulnerable organisations. 

Once systems are compromised, cryptocurrency, credit card, or untraceable gift cards will be required as a ransom. However, payment doesn’t ensure that you regain access. Even worse, victims who do pay are frequently targeted again. Just one infection can spread ransomware throughout an entire organisation, crippling operations. As a result, the solution is often costly as you require a complete rebuild of your core infected systems 

Ransoms range from hundreds of euro to the millions Garmin had to pay after their systems were compromised in 2019. Consequently, billions have been extracted by cyber-criminals in recent years. Cybersecurity Ventures predicts that ransomware damage will exceed €20 billion by 2021. It is so effective because it takes many guises. You must be aware of all of them to effectively protect your data and your entire network. 

How Bad Can it Get – The NHS Example

NHS - National Health System (UK) was targeted by WannaCry Ransomware
Photo by Hush Naidoo on Unsplash

A famous example of ransomware is the WannaCry attack of May 2017. This was a piece of malware that infected over 230,000 computers across 150 companies within a single day. It encrypted all files it found on a device. Following that, users must pay €300 worth of bitcoin payments to restore them. 

WannaCry mainly affected large organisations. The National Health Service in the UK being one of highest profile targets affected. Surprisingly, the attack’s impact was lower than it could have been. Due to the fact it was stopped quickly, and it did not target extremely critical infrastructure, like railways or nuclear power plants. However, economic losses from the attack were still in the millions of pounds.

Recently, 22 cities in Texas were hit with ransomware in September 2019. The attackers demanded €2.5 million to restore encrypted files, leading to a federal investigation. Moreover, ransomware is an especially prevalent in financial and healthcare organisations. With cyber-criminals targeting 90% of these businesses last year.  

The threat posed by Ransomware has never been greater. Microsoft also revealed in their 2020 Digital Defence Report that the time in which it takes to gain command and control of an organisation’s network has dropped significantly. As a result, now cyber criminals can go from initial entry to ransoming the entire network, in just 45 minutes.   

How Does Ransomware Work? 

Ransomware begins with malicious software being downloaded by an unwary person through an infected email or link onto their computer or smart device. 

One common method of distributing malware is through phishing attacks. Where an attacker attaches an infected document or URL to an email, disguising it as being legitimate (i.e., a well-crafted but fake Amazon Delivery or banking notification). By opening the infected link or attachment the first phase of the attack is complete. As a result, Malware is now installed on their device.

How to identify a Phishing email? Find out in this article.

Another popular method of spreading ransomware is using a ‘trojan horse’ virus. This involves posing ransomware as legitimate software online, which then infects the device once installed.

Encrypting Files at Light Speed

Once Ransomware infects an endpoint it will run freely wherever it has access. In seconds, the malicious software will take over critical process on the device. Then search for files to be encrypted, meaning all the data within them is inaccessible.  

The ransomware will then infect any other hard-drives, network attached devices etc, taking out everything in its path – including backups.

This entire process happens extremely quickly. In just a few minutes the device will display a message that looks like this: 

Wannacry Ransomware Attack instructions screen
Figure 1: WannaCry Ransomware Attack

This is the message that displayed to users who were infected with the WannaCry ransomware attack. As you can see, it’s a ‘cyber blackmail’ note. Users are informed that they have been locked out of their files, and they must pay to regain access.

Should you pay the Ransom?

Backups are the last port of call during a ransomware attack. Backups are also targeted by the attacker. If your backups are infected, you may have no other choice but to pay the ransom. It is estimated that the Sportswear manufacturer Garmin paid out a multimillion-euro ransom to get their system back online in 2019.

Payments are requested through bitcoin, a cryptocurrency that cannot be traced. Followed by a countdown, threatening to permanently delete the encrypted files should time run out. For smaller businesses performing a Disaster Recovery may be viable however for larger companies with thousands of core systems, the cost of recovery may simply exceed the ransom.

The Origins of Ransomware

As mentioned, Ransomware is the most prevalent form of cyber-crime as of 2020. However, it has been with us for over a decade. First sightings of this attack date back to around 2005. Although conditions for it to be devastatingly effective have only been met with the rise of Bitcoin.

In the 2000s, ransomware was not very sophisticated. The early methods used by attackers to encrypt or block data were easy to remediate. Services that allowed untraceable payments were lacking also. As a result, few victims ended up willing to pay the ransom due to these blockers.

Download this Guide Button

The more successful enterprise for cyber-criminals was in supplying phony anti-virus and computer cleaning software (scareware). By operating under a thin veil of legitimacy, cyber criminals were able to avoid detection. As the internet became a larger part of society around 2008, legislation caught up to this method of attack. Which significantly increased the risk and cost of operation.

The risk gap between scareware and ransomware was closing. While ransomware remained a less costly venture. In the early 2010s, ransomware scams became more prevalent utilising different avenues of payment, such as through prepaid cash cards or gift vouchers. Then something happened that would significantly change the trajectory of ransomware as a cyber-crime: the rise of cryptocurrency.

Cryptocurrency – The Enabler of Ransomware

Bitcoin, the most known Cryptocurrency, acts as an enabler to cyber crime
Photo by André François McKenzie on Unsplash

In 2012, the Bitcoin Foundation was formed and Bitcoin Central was recognised as a European Bank. Cyber-criminals were waiting for this exact form of currency since 2005; a simple, untraceable, method of extracting ransoms from their victims. The risk gap between scareware and ransomware began growing again, however this time, ransomware was the less risky, and less costly option for cyber-criminals.

Then came Crypto Locker in 2013, a revolutionary new form of ransomware. Combining Bitcoin integration and much more advanced methods of data encryption. Victims of this attack would be unable to decrypt their files without a special key encryption unless they paid out roughly €300 worth of bitcoin. The Gameover Zeus banking trojan became a delivery method for Crypto Locker. It was shut down in an operation led by the FBI. Within months researchers discovered numerous Crypto Locker clones across the globe from criminals looking to hitch a ride on the new wave of modern ransomware.

Eventually, cyber-criminals realised that profits being as they were from attacking individuals, they could aim bigger. Targeting businesses who possess more sensitive and valuable data and would pay accordingly. This was the advent of ‘Big Game Hunting’. Where cyber-criminals specifically target larger organisations through their users. This is the state of ransomware today, the biggest cyber-security risk, which is only growing.

Why is Ransomware so effective?

Ransomware causes massive damage to business, impacting companies financially and their productivity.

Most apparent is the loss of files and data, which represents years’ worth of work and intellectual property, or customer data that is critical to the smooth running of their organisation. Loss of productivity comes as machines will be unusable. According to Kaspersky it takes even smaller organisations a minimum of a week to recover their data in most cases.

Once a victim of a successful ransomware attack, downtime is only the beginning of the problem. The loss of data and productivity can have tremendous impact on a business financially. After that, professionals need to be hired to remediate the damage caused and put protections in place to stop such an attack from happening again. Many businesses do not survive.

Ransomware Exploits your Greatest Weakness – People

People utilising computers are the weakest point in your organisation
Photo by Hannah Wei on Unsplash

Attackers most successful vector of attack is using email phishing attacks, which can bypass traditional security technologies. Email is a weak point in many businesses’ security infrastructure. Hackers exploit this by using phishing emails to trick users into opening malicious files and attachments.

Another approach is to use trojan horse viruses where hackers also target human error by causing them to inadvertently to download malicious files. These files can remain dormant in your systems for a long time before they become active. Once active they implement Control and Command tools giving the hacker free reign to run ransomware throughout your organisation.

The major issue here is a lack of awareness and staff education about security threats Many people are unaware of what threats look like, and what they should avoid downloading leaving you open to risk. 

This lack of security awareness helps ransomware to spread with great efficiency.

Reasons Why Ransomware is so Successful

Ransomware attacks grew by as much as 715% in 2020 with attackers making off with increasingly high average payouts that have tripled from circa €80k to €239 (source Sophos 2021 Threat Report) . Many businesses do not have the strong defences needed in place to block and detect these attacks, because they can be expensive as well as complicated to deploy and use. It’s often hard for IT teams to convince company executives that they need strong security defences until it’s too late and systems have already been compromised.

Out of Date Hardware and Software

Organisational security policies often overlook hardware and software that is out of date. This can be down to legacy systems support needed to drive the business.

Over time, attackers discover the security vulnerabilities that are widely released by larger corporations. Technology companies often push out security updates, but for many organisations they have no way to verify that users are installing these updates. Many organisations rely heavily on older computers that are no longer supported, meaning they are open to vulnerabilities.

This is one of the main reasons the WannaCry virus was so successful. It targeted many large organisations such as the NHS, which used decades old machines on operating systems that no longer received regular updates.

The exploit WannaCry used to infect systems was discovered two months before the attack took place and was patched by Microsoft. However, the attack rapidly spread due to these devices running old software.

As discussed, the rate of growth in Ransomware attacks on businesses large and small is out of control. The risk is high, which is why you must be proactive. Ransomware thrives in a climate where businesses are unaware of where their risks lie. In the next section we will cover ransomware avoidance, and the need for a layered approach to cyber security. To allow your business to protect, detect, and recover from a Ransomware attack.

Addressing the Ransomware Risk

Life Buoy - illustrative metaphor for how to save a company from ransomware
Photo by Matthew Waring on Unsplash

Reducing the risk and damage of a Ransomware requires a mix of frameworks, policies, training, and technology. The best companies perform a detailed GAP analysis using a Cyber Security framework such as the NIST CSF in conjunction with security controls such as the CIS 20 controls. This approach leads to better outcomes, period. Below we list some of the key components in your Ransomware protection arsenal.

Learn more about the NISC CSF in this practical Guide.

Here are some tips for the best protections to put in place to stop ransomware attacks: 

Strong, Reputable Malware and Ransomware Protection

One of the most important ways to stop ransomware is to have a strong endpoint security solution. One that blocks malware from infecting your systems when installed on your endpoint devices (phones, computers, etc.). Industry leaders include Sophos, Trend Micro and Bitdefender. Just be sure that Ransomware protection is included as many traditional Anti-Virus products are not equipped to defend against modern Ransomware attacks.

The best solutions will also provide real time alerting if unusual behaviour is noted on your networks and help lock down that behaviour if it looks suspicious. Better still many modern providers can also supply real time alerting and remediation services.

Download this Guide Button

These solutions help protect against malicious downloads, and alert users when they are visiting risky websites. However, they are not guaranteed to be 100% effective as cybercriminals are always trying to create new pieces of malware that can get around the security tools. Still, endpoint security is a crucial step in strong protection against malware. 

Email Security, Inside and Outside the Gateway

As ransomware is commonly delivered through email, email security is key in preventing ransomware. Secure Email Gateway technologies, such as Mimecast and Barracuda, filter email communications with URL defences and attachment sandboxing to identify threats and block them from being delivered to users. This stops ransomware from arriving on endpoint devices. While blocking users from inadvertently installing malicious programs onto their machines. 

Ransomware is also commonly delivered through phishing. Secure email gateways can block phishing attacks using Advanced Threat Protection (ATP) capabilities. Also, there is Post-Delivery Protection technologies, which use machine learning and AI algorithms to detect phishing attacks. After that, they then display warning banners within emails to alert them that the content may be suspicious. This helps users to avoid phishing emails which contain a ransomware attack. 

Web Filtering & Isolation Technologies 

DNS Web filtering solutions stop users from visiting dangerous websites and downloading malicious files. Blocking ransomware that is spread through viruses downloaded from the internet, including trojan horse software. DNS filters also block malicious third-party adverts. Additionally, web filters should be configured to aggressively block threats, to stop users from visiting dangerous or unknown domains. 

Isolation technologies are a valuable tool to stop ransomware downloads. They completely remove threats away from users by isolating browsing activity in secure servers and displaying a safe render to users. Therefore, preventing ransomware as any malicious software is executed in the secure container. Moreover, Isolation does not affect the user experience. Delivering high security efficacy and seamless browsing. 

Security Awareness Training 

The people within your organisation are often your biggest security risk. There has been a huge growth in Security Awareness Training platforms such as KnowBe4. Which train users about the risks they face online, at work, and at home. Awareness Training teaches users what a suspicious email looks like, and the best security practices to follow to stop ransomware. Such as ensuring their endpoints are updated with the latest security software. 

Security Awareness Training solutions typically also provide phishing simulation technologies. Meaning admins create customized simulated phishing emails, and send them out to employees to test how effectively they detect attacks. Phishing simulation is an ideal way to help view your security efficacy across the organisation. It is also a useful tool to identify users that need more security training to stop the spread of ransomware. 

Multifactor Authentication

It may not seem obvious, but identity theft lies at the core of a lot of backdoor Ransomware attacks. Hackers use administrative and other accounts to gain a foothold in your core systems. Adding MFA makes the possibility of elevating privileges and giving the attacker the keys to run ransomware without barriers. MFA comes free with most Microsoft 365 packages and more in-depth solutions also exist with companies like DUO that extend more granular protection to all devices in the organisation.

Software Patching

Keep your operating system and 3rd party applications patched and up to date to ensure you have fewer vulnerabilities to exploit.

Data Backup and Recovery

Addressing Ransomware by having backups of your hard drive
Photo by benjamin lehman on Unsplash

Once a ransomware attack succeeds and your data is compromised, the best protection for your organisation is to restore your data quickly and minimize the downtime. The most effective way to protect data is to ensure that it is backed up in multiple places. Including; in your main storage area, on local disks, and in a cloud continuity service. In the event of a ransomware attack, backing up data means you will be able to mitigate the loss of any encrypted files and regain functionality of systems. 

The best Cloud Data Backup and Recovery platforms will; 

  • Allow businesses to recover data in the case of a disaster. 
  • Are available anytime. 
  • Are easily integrated with existing cloud applications and endpoint devices.  
  • Have a secure and stable global cloud infrastructure.   

Cloud data backup and recovery is a crucial tool in remediating against Ransomware.

Learn more about Business Continuity and Disaster Recovery.

Cyber Liability Insurance and Extortion Coverage

If the worst comes to pass, it can be very costly to rebuild your business or to pay of the cyber criminals. If it comes to this, Cyber liability Insurance can assist.

Cyber extortion is a coverage option under many cyber liability policies. It protects your business against losses caused by ransomware and other types of cyber extortion.

What’s Covered

Many cyber liability policies cover three types of costs:

  1. Ransom Money. This is money you pay to a cybercriminal in response to a threat. Some policies also cover property (other than money) you relinquish to an extortionist.
  2. Extortion-Related Expenses. These are expenses you incur because of the extortion threat. Examples are travel expenses you incur to make a ransom payment and the cost of hiring a security expert to advise you on how to respond to a threat.
  3. Repair Costs. Payment of a ransom does not guarantee your computers and data will be undamaged after their release, or that they will be released at all. Most cyber liability forms cover losses you sustain as a result of damage, disruption, theft, or misuse of your data. Policies cover the cost to restore, replace or reconstruct programs, software, or data.

Most cyber policies require you to secure permission from your insurer before you pay a ransom. If you make a ransom payment and then tell your insurer about it later, the payment may not be covered. The same rule applies to extortion-related expenses. If you want to hire a consultant to help you negotiate with the extortionist, you’ll need to notify your insurer in advance. Otherwise, the consultant’s fee may not be covered.

Most cyber liability policies provide reimbursement for a ransom payment and related expenses. They do not pay these costs upfront.

 

Cyber Risk Management

Some cyber liability insurers provide risk management services through a web portal such as eRiskHub. Policyholders can use these websites to learn about cyber exposures and how they can protect themselves from losses.

Covered Threats

Cyber extortion insurance covers ransom payments you make and extortion-related expenses you incur in response to a threat. The meaning of this term is important because it determines what types of acts are covered. The definition varies, but often includes threats to do some or all of the following:

  • Alter, damage or destroy your software, programs, or data
  • Infect your computer system with a virus or other malicious code
  • Release your data or sell it to someone else
  • Make your website or computer system inaccessible by initiating a cyber-attack, such as a denial-of-service attack
  • Transfer funds using your computer system

Ransomware is experiencing a boom as the perfect conditions for its rise to prominence have been met in recent years, and dedicated cyber-criminals are actively working on methods to ensure it is more effective. This game of cat-and-mouse will continue to evolve as the gains are large and the payouts continue.

Preventing Ransomware – Get in Touch

IT Support Dublin

If you feel uncertain or do not have the skills to determine your current cyber security risk, contact us to discuss our Cyber Security GAP analysis service. This will that help expose any current issues and build a risk-based roadmap to address any gaps in your approach. We are always here and happy to help any company looking to improve their cyber security maturity profile.

If you are looking for a new IT partner to provide faster response, times, enhanced security and better business outcomes – get in touch today.

New Year, New Risks for IT & Data Security

New Year, New Risks for IT and Security

Reading Time: 3 Minutes
The COVID-19 pandemic has changed everything about the world as we know it. Just as we started embracing new practices like sanitizing, social distancing and remote working, the pandemic has also forced us to embrace systemic changes in the ways we deal with cyberthreats.

The FBI has reported an increase in cyberattacks to 4,000 per day in 2020, which is 400 per cent higher than the attacks reported before the onset of the coronavirus.

Since remote working is here to stay, the trend in increasing cyberattacks is expected to continue well into the future. Moreover, business technologies are also transforming, attracting more cybercriminals to target business data. In these circumstances, the best solution is to build your cyber resiliency and protect yourself from unforeseen attacks.

Remote Working and Cybersecurity

Cybersecurity has always been a challenge for businesses with sensitive data. A single unexpected breach could wipe out everything and put your existence in question. With the sudden transition to remote working, this challenge has increased manifold for security teams. From the potential safety of the remote working networks to trivial human errors, there are endless ways in which your IT network could be affected when employees are working remotely.

A study by IBM Security has estimated that about 76 per cent of companies think responding to a potential data breach during remote working is a much more difficult ordeal. Also, detecting breaches early is another big issue for IT security teams. The same study by IBM has estimated that it takes companies roughly about 197 days to detect a breach and 69 days to contain it. Is your cybersecurity posture good enough to withstand a potential attack?

Threats You Need to Be Aware of

Cyberthreats come in different shapes and forms. From simple spyware monitoring your network transactions to a full-fledged ransomware attack that holds all your critical data for a ransom, there are multiple ways in which your IT network could be affected. Only when you get the idea of the potential risks surrounding your IT infrastructure, you can build a resilient cybersecurity strategy that enhances your IT environment and keeps vulnerabilities at bay.

Let’s look at some of the common cyberthreats that businesses faced in 2020:

Phishing scams: Phishing emails still pose a major threat to the digital landscape of many business organizations across the globe. COVID-19 communications have provided the perfect cover for these emails to lure unsuspecting users. By creating a sense of urgency, these emails might persuade your employees to click on malware links that could steal sensitive data or install malicious viruses inside a computer.

To learn how to avoid Phishing attacks and identify suspicious emails, click here.

Ransomware: Targeted ransomware attacks are increasing every day. It is estimated that a ransomware attack will happen every 11 seconds in 2021. Ransomware attacks hold an organization’s critical data for a ransom, and millions of dollars are paid to hackers every year as corporates do not want to risk losing their sensitive data. However, there is no guarantee that your files will be secure even after you pay the ransom.

Learn More in our Complete Guide on Ransomware.

Cloud Jacking: With the cloud becoming a more sophisticated way of storing data, cloud jacking incidents have become a severe threat. These attacks are mainly executed in two forms – injecting malicious code into third-party cloud libraries or injecting codes directly to the cloud platforms. As estimated by the 2020 Forcepoint Cybersecurity Predictions, a public cloud vendor is responsible for providing the infrastructure while most of the responsibility concerning data security rests with the users. So, bear in mind, you are mostly responsible for your data security even when it is on the cloud.

Man-in-the-middle attack: Hackers can insert themselves in a two-party transaction when it happens on a public network. Once they get access, they can filter and steal your data. If your remote working employees use public networks to carry out their official tasks, they are vulnerable to these attacks.

Distributed Denial-of-Service attack: This attack happens when hackers manipulate your web traffic and flood the system with resources and traffic that exhaust the bandwidth. As a result, users will not be able to perform their legitimate tasks. Once the network is clogged, the attacker will send various botnets to the network and manipulate it.

Protecting Your Business from Cyberthreats

Security readiness is something all organizations must focus on irrespective of their size. It is mandatory to have an action plan that outlines what needs to be done when something goes wrong. Most importantly, it is critical to have a trusted MSP partner who can continuously monitor your IT infrastructure and give you a heads-up on usual activities.

Investing in cybersecurity solutions is way cheaper than losing your critical data or paying a large ransom. You need to deploy advanced solutions that can keep up with the sophisticated threats of this modern age. Then, there is a list of best practices such as multi-factor authentication, DNS filtering, disk encryption, firewall protection and more.

If all these aspects of cybersecurity sound daunting to you, fret not. Reach out to us today to fully understand the vulnerabilities in your network and how you can safeguard your data with the right tools and techniques.

The Dangers of Rapid Digital Transformation during Covid-19

The Perils of Rapid Digital Transformation

Digital transformation is the process of using digital technologies to create new business processes to meet changing business and market requirements. It is by its nature planned and intentional change. The Covid 19 lockdown has accelerated digital transformation and flipped it on its head. It has been forced upon many companies who have scrambled to get their workforce up and running from home and other remote locations.

Since lockdown our ISO Lead Auditor, Aaron Nolan, has evaluated the security impact of remote working on over 40 companies. He prepared over 120 best practice questions and examined he results under four main headings. What he discovered can be broadly summarised as follows:

Remote working – perhaps not as secure as you thought!

We found that the correct mechanisms are in place for secure remote working. However the we found several security gaps and data leakage concerns in over 50% of companies reviewed. These came about due to the pace of change and a need to get working as quickly as possible. In particular, we noted the use of Shadow IT and unauthorised remote access solutions in several companies. In the majority of cases this requires some small changes to both technology and security policies to close of these security gaps.

Microsoft 365 Security

Let’s be clear here. The Microsoft 365 Platform is secure but it requires work to make it so. Microsoft provide a wealth of tools through their Security and Compliance centre that can assist in tightening security. You just need to understand what options are available to you, define your policies and them deploy them. Our main findings were that there was:

  • A lack of Multifactor Authentication.
  • No use of auditing and security policy management capabilities in Microsoft 365.
  • Rapid adoption of Microsoft Teams with little or no attention to security and retention policies. Also, potential issues with data leakage of or PII confidential data.
  • A general lack of a plan with defined goals and edges i.e. reactionary rather than planned approach to cloud migration.

The mechanisms to secure Microsoft 365 exist withing the platform itself but they need to be turned and managed properly by professionals.

Business Continuity Planning

We found very good procedures in place for both backup and well tested disaster recovery procedures. The missing component though was a written Business Continuity Plan (BCP). For the sake of clarity, a BCP is an organisation wide document outlining an action plan and response to a serious business shock such as Covid 19. We found several companies with either no BCP or one that was years out of date. We even found some alluding to staff that no longer even worked in the company.  Thankfuly the Covid 19 lockdown has sparked interest in addressing this. VCIO magazine have a helpful article on how to establish and build a BCP.

Efficiency

For the majority of businesses that continued to operate through the Covid 19 lockdown, there has been a realisation that remote working actually works. Many staff have traded the daily commute for a more balanced work/life balance. The result has been a noted increase in employee well being and productivity. This has come as a welcome surprise to many who now view remote working as part of the future of their digital transformation strategies.

There is also a massive shift towards cloud-based platforms such as Microsoft 365. Largely driven by an effort to consolidate multiple IT functions under one hood. It is no longer just a case of having email in the cloud. It is about the efficiency of having all of your business data, communications and collaboration tools in one place. The light has been shone on the possibilties of remote working and it appears that companies are really seeing the benefits of how technology can transform the working lives of their staff.

If you are interested in seeing how technology can help transform the lives of your staff and make your organisation more agile we would love to hear from you.

Feel free to reach out to us either by phone on 353 16644190 or get in touch here. We can arrange a discovery call and perhaps even a short demonstration.

Thinking of a New IT Support Provider

  1. If you’re looking for an IT support provider get in touch here, or give us a call on 01 6644190 to talk with one of our experts.
  2. Looking to plan your Microsoft Teams deployment.  Feel free to read our post here on the subject.
  3. Review our Remote Working solutions to ensure optimal protection for your businesses during the Covid-19 lockdown.

A guide to the perfect Microsoft Teams deployment

Reading time: 5 Minutes
Written by Mark Hurley

Steps for Preparing Your Organization for A Successful Microsoft Teams Deployment

In our day to day practice we serve a customer base with user numbers ranging from 15 -150 users, across industry types, some with a single office location, others with multiple locations. With the surge in remote working due to the Covid-19 lockdown we have seen a huge increase and demand for clients seeking a better way to communicate and collaborate. Microsoft Teams  – Microsoft’s suite App combining a suite of Collaboration and communication tools satisfies that requirement for a large percentage of our clients.

Since its launch on May 3rd 2017 Microsoft Teams has exploded onto the scene with a current user base of over 44M users, at the time of writing this, worldwide making it Microsoft’s fastest growing app ever.

Better still Micorosft Teams provides a single simple to use app that works on almost any device from any location. So what’s not to love?

Despite its simplicity Microsoft Teams is complex solution under the hood and as such requires a proper plan to deploy and manage on an ongoing basis. Let’s take a look at Microsoft Teams from a deployment perspective – preparing your organization for the rollout, and some pitfalls to avoid, to ensure it goes as smoothly as possible.

Deploying Microsoft Teams – The Process

 

The stages outlined above follow a pretty standard approach to a new software or application deployment. There are typically three challenges to a successful Microsoft Teams Deployment that need to be addressed through the rollout life cycle. These can be summarised under three main headings:

  • Technical issues – is your technical environment fit for purpose, does your organisation have the correct licencing, bandwidth capabilities etc.
  • User adoption resistance –  establishing early communication, training and pilot programmes  will assist with adoption.
  • Governance and Security considerations – establish policies and make sure your data secure, who is keeping an eye on wider governance and what policies and procedures need to be in place to keep Microsoft Teams secure.

Address Technical Issues

The last thing that you need once you have committed to a new technology such as Microsoft Teams is to have that effort torpedoed by a lack of technical preparation. Users will turn their back on a technology if it is glitchy. Any excuse! You need to consider the technical environment and prepare accordingly. Listed below are some of the key technical considerations for deploying Teams.

1. Check your Bandwidth and technical capacity

The traffic generated by Microsoft Teams will impact the network. Conduct an assessment to ensure that your infrastructure can support Teams and provide a high-quality user experience. Microsoft offers a number of tools to help admins prepare for Teams. Consider also that remote workers may not have the best internet connections and secure home technology setups. These will all need due consideration and planning.

2. Check your licencing

Before deploying Microsoft Teams, you will need to make sure that it’s included in your Microsoft license. It’s also important to evaluate the requirements of dependent services such as Exchange and SharePoint.

 

Overcoming User Adoption Resistance

Change can be difficult for an organization; when people become used to working with a particular app or tool, they may resist adopting new products. Ultimately, this boils down to their unfamiliarity with the tool, along with a worry that they will lose efficiency. That’s why a change management strategy is essential: you can explain the benefits, offer pre-deployment training, and let users prepare for the eventual switch over.

1. Create and Communicate Your Change Management Strategy

  • Create advanced enthusiasm for Microsoft Teams
  • Select and train a small user core who can act as influencers
  • Outline current business challenges and show how Microsoft Teams can help overcome them
  • Ensure new users have access to ample training and support
  • Allow users to leave feedback directly and act on it accordingly

2. Ask a lot of questions.

A recent Spiceworks survey found that organizations are using an average of 4.4 different collaboration solutions across three different providers in an attempt to meet the high demand for collaboration. In some cases, IT isn’t even aware of all the tools in use. Start by asking end-users what they use for collaboration, what works and what doesn’t, and where there are gaps.

3. Bring stakeholders together.

Assemble a team of individuals from various departments, including both end-users and managers. Be sure that groups who regularly use collaboration tools are represented. Define use cases for Microsoft Teams and determine the best way to facilitate adoption and migration from existing tools.

4. Train Staff on the Functionality

There is a wealth of detailed video and documentary training material available on from Microsoft. Have you staff review and round table suggestions and ideas as they go through this training.

Determine the functionality you will use first and who will pilot and test that functionality. Teams provides functionality such as:

  • Chat and IM,
  • Calendar and Meetings,
  • Conferencing,
  • Integrated Telephony (requiring as additional licence),
  • Collaboration and
  • File management capabilities.

We found that adoption in Spector accelerated by through the migration of our file server into SharePoint and integrating our phone solution with our partner IPTelecom. This meant that we were able to consolidate all of our files/folders and communications in one simple to use app. We have not looked back since!

5. Logically Organize Your Microsoft Teams & Channels

Before implementation, your organization should give thought to how you will configure Teams for maximum effectiveness. Decide how you will set up your various teams and channels. In Microsoft Teams, teams are groups of people brought together for work, projects, or common interests. A channel is a subset of that.

For example you could have a Team called “Internal R&D Projects” and then have multiple channels such as CRM Changeover, Production Efficiency etc. as Channels.

Here are some best practices for organizing your teams:

  • Be clear about your goals in advance.
  • Determine which people or groups will be added to each team.
  • Determine roles and permission in advance. For example will you allow users to create their own Teams and Channels.
  • Start with a smaller number of team members and scale upwards.
  • Designate a small number of owners for each team.

6. Train Staff on the Functionality

There is a wealth of detailed video and documentary training material available on from Microsoft. Have you staff review and round table suggestions and ideas as they go through this training.

Determine the functionality you will use first and who will pilot and test that functionality. Teams provides functionality such as:

  • Chat and IM,
  • Calendar and Meetings,
  • Conferencing,
  • Integrated Telephony (requiring as additional licence),
  • Collaboration and
  • File management capabilities.

7.Organize Your Microsoft Teams & Channels

Before implementation, your organization should give thought to how you will configure Teams for maximum effectiveness. Decide how you will set up your various teams and channels. In Microsoft Teams, teams are groups of people brought together for work, projects, or common interests. A channel is a subset of that.

For example you could have a Team called “Internal R&D Projects” and then have multiple channels such as CRM Changeover, Production Efficiency etc. as Channels.

Some best practices for organizing your teams:

  • Be clear about your goals in advance.
  • Determine which people or groups will be added to each team.
  • Determine roles and permission in advance. For example will you allow users to create their own Teams and Channels.
  • Start with a smaller number of team members and scale upwards.
  • Designate a small number of owners for each team.

Governance and Security

 1. Form a Governance Committee

Ok, I can see eyes beginning to roll here. You are only a 20 person organisation and you do not have an in-house Governance function. We mention it here for a reason. Teams is not an isolated product. It is part of the wider Microsoft 365 suite of applications. So what you do in Microsoft Teams may have an impact on what happens in Email, file management and other apps. You need to make sure that the deployment decisions that you are making in Microsoft Teams comply with other policies elsewhere. Our advice is always to lock down technology as much as possible.

2. Secure your Identity

As Teams is part of Microsoft 365 you will use the same authentication process to gain access to Teams as Microsoft 365. It is not only highly recommended but imperative that you employ at least Multifactor Authentication (MFA) and/or Certificate based authentication to verify your user identities. Simple email addresses and passwords do not cut it. Microsoft offer a native MFA solution and another favourite in our practice is DUO.

3. Device Compliance

With more and more people working from home you need to make sure that any devices connecting to your Teams comply with your company security policies and have at minimum and up to date and centrally managed Malware protection solution in place.

4. Setup Your Office 365 Security and Compliance Tools

Teams uses a variety of security and compliance tools and protocols, and offers a number of ways to configure them depending on your organizational needs. Before roll out, take the time to ensure you are familiar with the following tools:

  • Auditing and Reporting – interfaces with the Office 365 Security and Compliance Center to configure the level of audit reporting logs and security alerts
  • Data Retention Policies – Configure and set up data retention policies for channel messages and communication
  • Legal Hold – place a hold on team or group mailbox activity during eDiscovery
  • eDiscovery – a crucial tool to conduct forensic audits and legal reporting, with an option to choose from In-place eDiscovery and Advanced eDiscovery

Manage Permissions and Limit Microsoft Teams Sprawl

Teams and SharePoint Site sprawl and redundant sites is one of the biggest governance concerns for those in charge of managing IT and IT governance. A lot of IT departments still feel extremely uncomfortable with the thought of users creating Teams on a whim and having hundreds or thousands of unused SharePoint Online sites, Planners and OneNote notebooks on their tenant. A feeling that we as Managed IT Service providers concur with.

To address the issues of Site sprawl caused by outdated, inactive Teams we strongly recommend the use of Microsoft  365 activity-based Groups expiration. This allows the admins to set an amount of time (in number of days) after which every Microsoft 365 group will come up for renewal. This will certainly help alleviate IT concerns over site sprawl and will help with outdated content cluttering search.

Our advice is to initially lock down Microsoft Teams like any other technology. Limit the ability for any users to create new Teams and SharePoint sites etc. Train administrative users that can assign and enable functionality for your team that fits with your wider security policies.

In Summary

Launching a new deployment of Microsoft Teams doesn’t have to be a daunting task. One of the key strengths (and also weaknesses) of the platform is its unprecedented amount of configurability and control. Starting with a clear functional plan and a strong focus on governance will give you a head start in enjoying the many benefits that Teams has to offer.

Thinking of a New IT Support Provider

1. If you’re looking for an IT support provider get in touch here, or give us a call on 01 6644190 to talk with one of our experts.

2. Not sure about Microsoft Teams. See our short presentation and blog piece on the subject.

3. Review our Remote Working solutions to ensure optimal protection for your businesses during the Covid-19 lockdown.

 

Thank you for Reading! Follow us on Social Media for more exclusive content.
 

8 Simple Steps to Secure Remote Working During Lockdown

What is covered

We have reviewed this article one year after the first lockdown and created an updated version, available in this link.

The Covid-19 Pandemic has created a massive rush to get staff operational from home or remote locations. In that rush some security considerations may have fallen to the wayside. As we hunker down for the longer term where, for many, securing your remote workforce is a must as working from home will become the new normal for many. We have outlined 8 key security steps for secure remote working that apply to all companies, regardless of size.

1. Establish what is covered with your IT Support Provider

Your IT provider may or may not cover the usage of non-commercial home devices or PCs to access you company’s IT resources remotely. You need to know what is covered and if they are covering home working. It is considerably better to allow them to manage your home workers with their centralised management tools than to go it solo. Ask the question. You may find that during Covid-19 they will extend that mangement for a limited period for a small fee.

2. Provide Malware Protection for Your Remote users

While you may have centralised malware protection and monitoring of all the workstations at your physical office, you likely do not have the same level of control for home computers. If possible, we recommend that you ask your IT provider to extend their Malware protection and remote management solutions to your home office users. If that is not an option (and it should be) Webroot offer multi device packages for a reasonable cost that will cover both PC and Mac environments. Macs should not be exempt from using endpoint protection software. One in ten Mac users have been attacked by the Shlayer Trojan.

Set a policy that all home employees must use an antivirus tool on the machines that access the firm’s resources. Moreover, have your IT support provider verify this before your install your secure remote access tools.

3. Make sure remote working does not introduce more risk

You may have had to suddenly set up remote access servers, Windows 10 virtual desktops or other remote access solutions. Whatever you choose, make it consistent as it makes it simpler to manage and roll back at a later stage. In particular do not blindly open remote access ports without thinking of the risks and consequences. Remember that ransomware attackers look and scan for open RDP servers, targeting anything responding on port 3389. For RDP servers you need a VPN solution period.

4. Reinforce Cyber Security Education and Make Staff Aware of Covid-19 Scams

The Irish Times have reported a huge increase in COVID-19 scams that are circulating. Urge your users to not click on unsolicited emails and to use only official websites. Ensure that the firm has a way of centrally communicating with incidents so that you can trace all official communications and notifications

5. Update security and Acceptable usage policies for staff

Make sure your acceptable computer use policies cover staffs’ home computer assets. If this wording is not already there, you’ll need to quickly get up to speed in allowing employee’s personal assets be used for remote access. Policies should also cover remote working protocols and payment processes need to be reviewed to avoid becoming victim of payment scams.

6. Review what software remote employees need

There are two considerations here. Your staff may need to access productivity applications that can only be run from inside your network. In this case a remote connection to a Remote Desktop server or their PC may be best.

For users that just use Office 365 and Cloud based apps you may only need to provide Office 365 applications. For this you will need to consider your licence requirements. An Office 365 license allow you to install the Office suite on up to five PCs or Macs, five tablets and five smartphones. Those with Volume licenses can allow Office for home use purchases for your employees. You may need to review your options and licensing alternatives based on what platform and version of Office you are currently licensed for.

If you are in doubt, reach out to your IT support provider; they may be able to provide temporary licenses with screen connection software that they already use to remotely manage your network.

7. Implement MultiFactor Authentication (MFA)

When implementing secure remote working, consider adding MFA to remote access solutions. Ask your IT support provider about adding a MFA solutions such as DUO.com or Microsoft’s native Multifactor Authentication solution for access to your IT infrastructure both in the office and the cloud.  While your company may need to move quickly to allow your staff to work remotely, you can still ensure that only those admins and users are allowed in mitigating the threat of identity theft.

8. Secure connectivity with a virtual private network (VPN)

Secure Remote Access

Most Unified Threat Management Firewalls (Sonicwall, Fortinet, Sophos) all package with an inbuilt free SSL VPN client that can be deployed to provide secure end to end connectivity for your end users. Ensure that your Firewall and VPN solutions are up to date as this reduces the possibility of security vulnerabilities.

Prepare for the future of secure remote working

Plan for the future

While this is a stressful time with little certainty about what will happen next, it’s also a great time to prepare your company for the longer haul and preparing your organization for emergencies. It is important to define how you work remotely, review improvements and then secure your remote workforce properly. As always the CIS provide great guidance with their CIS Telework and Small Office Network Security Guide. Review that to see if there are any other security issues you should be monitoring.

Thinking of a New IT Support Provider

1. If you’re looking for an IT support provider get in touch here, or give us a call on 01 6644190 to talk with one of our experts.

2. Discover more about how MS Teams helps remote workers with both communications and collaboration.

3. Review our Remote Working solutions to ensure optimal protection for your businesses.

 

Is Microsoft Teams the Answer to Your Remote Working Needs?

Can Microsoft Teams Help your Company Through These Troubled Times?

 

The answer is a resounding yes. Microsoft Teams is a fabulous product however you will need a plan to get it up an running properly. So if you are you interested in providing your staff with a single app that allows your perform the following in one simple app, then Teams is for you.

Verify their availability

No more guessing if your colleagues are available. Real time presence allows you to see if they are available, on a call, in a meeting or whatever.

Chat in real time.

Be able to get quick answers to questions through real time chat.

Make and receive all calls on any device.

Stay in contact with your colleagues, clients, friends and family through a simple to use call management solution that can be used on any device – laptop, mobile, desk phone, tablet – you name it.

Collaborate on files in real time.

Share and work on files at the same time – no version histories or emailing of files for review. All files in one place that can be edited by anyone with access. This is file management simplified.

Store all files centrally and access those files without complex VPNs.

Have access to your files from any location and any device. There is no requirement for complex VPNs and poor performance with trying to upload and download files to traditional file servers over slow connections.

Collaborate, share and communicate with each other with ease.

Join and manage teams that mirror how you work. Working on a project together – no problem. Need to collaborate with you finance team on new budgets – no problem. All communications, files and to-dos all located in one place ion one simple to use app.

Schedule once off and regular meetings and video conferences.

Stay in contact with clients and staff suing video conferencing. Visual contact is more important now than ever before. Seeing you colleagues and clients has a hugely positive impact on relationships.

Stay in touch and feel part of the team during the Covid 19 lockdown.

It goes without saying that teamwork is central to our ability to recover from the economic shockwave that Covid 19 has and will continue to cause. Make sure you team stay focused and productive as we navigate our way through these choppy waters.

If this sounds good, then Microsoft Teams may just be for you!

 

 

 

 

Mitigating your Risk with IT Security Controls

IT Security Control
Photo by Bernard Hermant on Unsplash

Reading time: 3 Minutes
Written by Aaron Nolan
Risk mitigation is the process of lessening the effect of incidents through the implementation of security controls. The entire idea behind risk mitigation is putting mechanisms in place to reduce risk to the organisation. In this article, we will be talking about IT Security Controls and their role and characteristics in business.  

Many different types of controls can be implemented to mitigate risk. Risk controls can be physical, technical or administrative and they can act proactively or reactively. After the risk analysis element of the risk management process, many companies struggle to implement the correct or sufficient controls due to their lack of knowledge on IT Security. Choosing the wrong type or an unnecessary control can be a costly decision for the organisation.  

The organisation’s governance structure is responsible for the risk within the company. Many organisations do not have in-house IT knowledge or expertise, and therefore many mature organisations consult an independent third party to assess the mitigating controls available for each risk.   

What you need to Start Mitigating Risk 

At the mitigation point of the risk management process, an organisation should have the scope of their entire business in an Asset Register. The organisation should have completed a threat model against each one of these assets, with the likelihood and impact of their risks analysed, to then document the exposure. If you’re not familiar with these procedures, take the time to read our articles above.   

The organisation should have documented an acceptable level of risk in each area of the business based on its criticality. The exposure to each asset should have then been accepted, avoided, transferred or marked for mitigation. 

To learn more about these different ways to address risk, read:
Developing an Action Plan to Address Technology Risk. 

The list of risks to be mitigated is the outstanding exposure that requires IT Security controls to be implemented. Having an acceptable level of risk and an understanding of the criticality of each business functions allows the organisation to make an informed decision on what security controls to implement. 

Security Controls   

The phrase security control is sometimes used interchangeably with Safeguard or Counter Measure. There are many different types of security controls, and they can be broken down into Proactive and Reactive controls. 

Proactive Controls  

Deterrent and preventive control are types of proactive controls as they are in place before an incident occurs. Examples of Deterrent controls are banner messages on servers, employee code of conduct in contracts and high perimeter walls around your premises.  

The idea of a deterrent control is, as the name suggests, to deter the threat. Preventive controls are mechanisms like firewall rules, Intrusion Prevention Systems (IPS) and physical locks on secure rooms. The idea of preventive control is to stop the threat from occurring at all.   

Reactive Controls 

Detective, compensative, corrective and recovery controls are all types of reactive controls because, at this stage, the incident has already occurred. Detectives controls are Malware anti-virus, Intrusion Detection Systems (IDS) and CCTV systems. The reason for detection systems is to alert when an intrusion has occurred or been detected.  

Examples of compensative controls are Insurance (Cyber/Premises) or having an alternative site available (Hot/Cold Site). Compensative controls are used to protect the organisation after a vulnerability has been exploited. 

Corrective and recovery controls are backups, electronic journaling or data archiving. These controls are to bring the business back to its natural state of operation. 

Whichever security controls you choose to implement should be driven from the risk analysis that has been carried out. These security controls should be cost-effective but also appropriate to the level of security required to protect the resources. The organisation must continually manage and monitor security controls to ensure sufficient security governance. 

In Conclusion 

The essential part of risk management is understanding your risk. The organisation’s governance structure should be aware of the threat before and after a control has been implemented. If the company does not have in-house IT knowledge or expertise and cannot make an informed decision on their risk, they should consult an independent 3rd party expert in IT and risk management. 

Once the risks are mitigated, the organisation should be able to accept any residual risk. The risk management process should give the company a baseline to work from or put them in a position to implement a framework, allowing to drive security policy from the governance structure down. 

Thank you for Reading! Follow us on Social Media for more exclusive content.
 

Why an Impact Analysis is Essential for Company Continuity

Business Asset Impact Analysis
Photo by Julia Joppien on Unsplash

Reading Time: 4 Minutes
Written by Aaron Nolan
A Business Impact Analysis (BIA) is one of the first steps any company should go through before or soon after becoming operational. Th
e analysis is conducted to bring clarity to the financial and operational impact that a disruption could cause.

Moreover, the Business Impact Analysis’ importance goes beyond providing clarity. It serves as an essential activity to build a Business Continuity Plan and in the risk management discipline.

The goal of Business Continuity Planning (BCP) is the ongoing performance of the business in a time of disaster until normal business conditions are back in place. Planning for business continuity is vital to maintain continuous operations of the organisation in the event of an emergency.

A Business Impact Analysis should be implemented by the Management Structure within an organisation. It should include senior management and representatives from all departments of the business. 

Choose your team and required resources.  

The first step in a Business Impact Analysis is choosing the right members within the organisation to represent each team. Each person will view their risk and their department’s risk differently.

Therefore, every team must be represented in the assessment, as risk is objective, and any risk is relevant.

It makes it even more critical that Senior Management is part of the analysis, as it is their task to independently quantify and qualify each risk after the review has taken place. Legal representation would also be advised throughout or at least at the end of the BCP process to ensure you have covered your organisation for legal and regulatory requirements.  

As Business Continuity Planning is not a once-off event, the need for ongoing resources is required. The duty to continually train staff, purchase new hardware and software, maintenance of documentation and processes in keeping the plan live will need to be budgeted for each year.   

Find your Scope  

Once you have your team in place and have an idea of cost involved in maintaining your Business Continuity Plan, you should then identify your scope. Your scope should cover all assets within your organisation, including hardware, software, information, premises and people.  

The easiest way to identify the scope of your business is to complete an asset register. All the previously mentioned assets should be addressed and recorded on the register. You may not have to go into great detail with people by listing each member of staff, but you should list critical positions of the team and ensure succession planning is addressed.   

Learn how to build your Asset Register in the article
Building your Asset and Risk Register to Manage Technology Risk 
 

The key priority of every organisation is the protection of its people. Human life should be prioritised over every other asset. An organisation may then choose to prioritise the security of its hardware over its information, but this will depend on which sector the company is in.  

Addressing Risk

Impact
Photo by Dave Herring on Unsplash

Once a company has identified its assets the next step is the risk assessment and risk analysis of these assets. Although many times risk assessment and risk analysis are used interchangeably, they are different things. 

Risk Assessment is the identification of all threats to its Assets, whereas Risk Analysis is the likelihood of the vulnerability of these exploits being exposed. These concepts could prove relevant for you when attempting to understand and calculate our risks, so read our article Understanding and Calculating Organisational Risk for more details.  

Once you have identified your risk, the organisation should document its acceptance or mitigation control and cost of these risks, which will then be presented for final approval by the CEO, stakeholders and board members.    

There are different approaches to addressing different types of risk. To get more insight and our best suggestions on that, read Developing an Action Plan to Address Technology Risk.

Business Continuity Plan Approval, Implementation and Maintenance 

The final step in Business Continuity Planning is the Plan Approval by the CEO, Stakeholders and board members. It is essential to have buy-in from the top level for BCP to succeed. Once the plan has been approved, and the resources provided, the implementation and maintenance of the program can start.  

A Business Continuity Coordinator and one alternative person should be trained in all parts of the Business Continuity Process. They, in turn, should put a BCP committee together to ensure the process stays live. It is the committee’s job to ensure the training and education of all employees are complete, documentation is up to date, and goals are being met.  

Documentation like a Statement of Importance, Statement of Priorities and the Outline of the Organisational Responsibilities should be deployed from the C-Level to all employees to ensure buy-in from the top down.

Impact Analysis on Business asset
Photo by Ashkan Forouzani

Minimising Downtime with your Business Continuity Plan 

Once your Business Continuity Plan is live, the most critical part is ensuring that it stays there. Therefore you should test your plans on a regular basis to ensure you can address potential crisis scenarios effectively. While doing this, it’s crucial to keep your Maximum Tolerable Downtime (MTD) limit in mind.  

The purpose of everything is to ensure your business stays within its MTD, even in disaster situations. That’ll keep your operations and employees safe, and your company can resume activities quickly, without suffering considerable damage.  

To illustrate the extent of financial damage a business could suffer within a few hours of Downtime, we have created a Downtime Calculator. Use it and calculate how much your business would lose for every hour in which operations are disrupted.

If the continual operations of our organisation have stopped, then business processes have stopped and therefore the organisation is no longer in BCP mode, but in Disaster Recovery (DR) mode. Read our article explaining the difference, or visit our Business Continuity page for more information. 

Thank you for Reading! Follow us on Social Media for more exclusive content.
 

Lessons in Lockdown: Our Guide to Smarter Remote Working

Working from home during Coronavirus
Photo by Aleksi Tappura on Unsplash

Estimated Reading Time: 7 Minutes
The Coronavirus – a.k.a. Covid 19 – outbreak is forcing organisations all over the world to send their staff home, putting to test their business continuity planning. This means that businesses that have the structure to enable people to work from home can remain productive amidst the outbreak and other disaster situations.
 

Is your business prepared for the Coronavirus? Ensuring Business Continuity  

I love to work from home but only under certain circumstances. I only enjoy it when I have a task or project that requires serious focus. Otherwise, I prefer the energy and banter in the office. So how can we help our staff prepare for the lone working environment, handle stress and overcome the isolation effects of the Covid 19 pandemic?  

Take a typical day in the office, the chat, the meetings, the advice taken and received and all banter that goes with it. Try pausing it. For most business owners, this idea feels eerie.

Now put yourself in the shoes of the newer staff, the interns and other team members that look to others for guidance and assurance that they are doing the right thing. It tells you one thing: more input. A lot more input and leadership are going to be required to help those staff and protect them from the stresses and pressures that come from isolated working.  

Managing people remotely is more challenging  

Hopefully, you have clear staff roles defined. If not, thanks to the Coronavirus, you have more work to do. Deciding things like this for the first time during a pandemic outbreak is going to be tough, but it’s critical to helping your staff know that they are doing a good job.  

In our business, we manage the workload of the bulk of our team. They are clear on what they have to do and what good looks like. They need to communicate with each other and escalate work to colleagues where required. Even with this clarity, some staff might tend to feel isolated.   

The Power of Collaboration Tools  

The key for us has been to have regular huddles which are performed using MS Teams Meetings. The specific technology doesn’t really matter, and other alternatives such as Slack, Zoom and GoToMeeting have waived some of their fees and offer free solutions.   

Once you choose the technology that suits your purposes, you will need to help your staff bed them into place. We suggest starting slowly where possible. Make sure they all have the technology, headphones, cameras etc. to make this simpler. Make sure that your team also know that we are all prone to distractions such as kids or crazy canines that need walking. We need to be understanding and flexible.   

Our recommendations from lessons learned in Spector  

We have broken down the main recommendations in three headings; Team Motivation, Meetings and Managerial Advice. Towards the end, we are also recommending the best guides and in-depth articles about remote working. By learning and implementing these practices in your organisation, it will be more resilient and flexible than ever, while remaining productive.  

Keeping the Team Motivated

Doing your part in keeping the team motivated is vital, but it’s also crucial that you instruct the crew in practising and developing their own productivity habits while working from home. In a usual scenario, you would have plenty of time to prepare your team, but due to the rush in getting things done during the coronavirus outbreak, people are bound to feel out of place. Be disciplined in your efforts, and you will facilitate the transition for them.

  1. Stimulate communication: Have an Instant Messaging platform for your team and ask everyone to be online there during work hours. Let them know that everyone is available to chat, and if they do not understand something, they can raise their hands and ask. Nothing is more isolating than not knowing what is going on.   
  1. Keep it Light and Allow Banter: we use a Team Channel specifically for banter and chat. We should call it the “You will not believe what just happened” channel because that is what it is. People – suppliers, clients, staff – can request strange and wonderful things when they are under pressure. Somewhere to share that can be beneficial.  
  1. Keep in touch: check-in with each person at the start and end of each working day. Give them a few minutes to tell you where they are at and if there have been any particular challenges that day. Split the work among your senior management to help them develop a new type of rapport with the staff. Most of all, be disciplined.   
  1. Check if people are available: don’t feel bad if you don’t get an immediate response. People may appear free but be talking on the phones, concentrating on something else or hassled by something at home. Ask for a confirmation of arrival after sending a message and let them catch up at later meetings, if required. 
  1. Discuss Difficulties: as mentioned before, the biggest challenge in shifting work environments is the cultural change. People have work habits that are being disrupted, and most of them are probably not used to work at their homes. Be open to hear about their difficulties and provide advice. 

Sharing some material and tips from experienced remote workers has proven to be an excellent start, and we found two links to help on that: 
Tips for working from home, from experienced remote workers;
Working from home when your kids are out of school – especially useful now that school classes have been paused due to the coronavirus outbreak:    

Workplace to remote workers
Photo by Andrea Davis on Unsplash

Meetings  

Another common difficulty shared by businesses is in conducting meetings remotely. Again, this topic is particularly sensitive during the Coronavirus outbreak, as the official recommendation from the health authorities has been to avoid physical contact. There is a large number of companies that rely on meetings to present their services or close new businesses, and they must adapt to survive during the reclusion time.  

  1. Scheduled meetings: set aside defined times to meet. Random meeting times do not work. Period. It also helps to have fixed meeting periods — ours last from 5-minute huddles and updates to 45-minute leadership meetings. Nothing goes over the established time.  
  1. Have an agenda: create and share a firm agenda of a small number of important points that are clearly explained to all participants. Allow people to add their own relevant points before the meeting.  
  1. Use your resources: make these meetings eye to eye using Video Conferencing where possible. It adds a higher level of connection and stimulates people to be paying more attention. It’s also suitable to get your team to mute their calls – it helps drown out the noise of the environment. Let them unmute as they need to talk. This is good especially if you are with a larger number of people. 

For more tips on Virtual Meetings, we recommend this article by Harvard Business Review: What it takes to run a great virtual meeting 

Managerial Advice  

Managing remote teams can be challenging as with any change in the way that you work. For this reason, we have compiled some guides from some of the world’s leading companies in remote working.   

Some of these companies were born remotely or made the transition with time. Between them, one should match your managerial style and bring some refreshing insight that you can apply in your reality. To get started rapidly, we recommend the article Transitioning to remote work in a hurry, made by Zapier. After focusing on these first aspects, you can proceed to reflect in more depth on this critical topic. Click on the blue links below to dig deeper into each guide.   

  • Learning about Business Continuity is an excellent way to prepare for this and other disrupting situations that may come to arise. Our article, Is Your Business Ready for the Coronavirus offers practical insight on that.  
  • Insight from real businesses  in this link, 140 companies are answering the most frequent questions about remote work; such as how to manage performance and communications remotely. These companies are very distinct and adopt remote working at different levels, which will provide a multilateral view of the topic.  

Facilitate your Transition to Work Remotely 

As you may have noticed, enabling your workforce to work remotely is not a simple task – and one surrounded by multiple challenges. Even more so in the current global situation. Many of our customers were forced to adapt quickly due to the Coronavirus outbreak, and this seems to be the case for many businesses around the world.

Most companies still lack the structure to work remotely, such as the devices, configurations, and tools that one would require (VPNs, file sharing, cloud servers). Others may have the basics in place but are not yet able to do it securely – without compromising their critical files and database. 

Most business owners are too busy to learn about the level of detail needed to abide by best practice and ensure optimal performance while working remotely. Hence, we recommend finding a partner to facilitate this transition. 

If you need any advice on how to activate your team to work remotely, feel free to make contact with us. We have assisted numerous customers in this task, and hope to aid others in difficult times.

Thank you for reading! For more exclusive content, follow us on Social Media.
 

Understanding and Calculating Organisational Risk

man in risky situation
Photo by Fer Nando on Unsplash

Estimated Reading Time: 5 Minutes
Written by Aaron Nolan
Understanding organisational risk is crucial not only for a risk manager handling GRC (Governance, Risk and Compliance) but also to any business owner or member of the C-Board to future proof their companies and ensure Business Continuity.

In this article, we will be addressing some of the most common doubts and providing the essential information you will need to understand the nature of risk. With this knowledge, you can begin developing tactics to shield your business against it.

What is Risk?

Risk deals with the possibility or likelihood of a situation occurring based on the threats and vulnerabilities of an asset. Both vulnerabilities and threats can be mitigated using security controls, but we must understand the level of exposure first.

  • A threat: to your business is any likelihood of unwanted potential harm. An example of a threat might be a thief or a computer virus.
  • A vulnerability: on the other hand, is a weakness or absence of a safeguard in an asset. An example of a vulnerability is a broken alarm system or an unpatched server.

Once all the threats and vulnerabilities have been calculated, you will find your Total Risk. This is the organisation’s exposure level before implementing any mitigation controls. Being aware of all your risks is crucial to conduct a Business Impact Analysis.

Risk Assessment vs Risk Analysis

Many people use these two phrases interchangeably, but they are two separate things. A risk assessment is used to gather the data about the company, like its assets register, asset value and data flow. The risk assessment is used to understand the scope of the business and its potential exposure.

A risk analysis, on the other hand, is used to calculate the probability of a vulnerability being exploited. An organisation should list all probable threats and vulnerabilities to the gathered data from the assessment, in a process called Threat Modelling.

This should be used to produce a Gap Analysis or a Risk Mitigation plan, which will generate a list of risks that can be acted upon based on a cost versus benefit analysis. Therefore, a Risk Analysis must follow a Risk Assessment.

For more details and useful tools to help you build your Asset Register and Risk Register, read: Building your Asset and Risk Register to Manage Tech Risk. There you will find a sample risk register and a webinar with detailed instructions on how to use it.

Calculating your Risk

After your organisation has completed the threat modelling process, there are some ways they can calculate its risk. Depending on the type of risk and type of potential damage that could be caused, one way may be more suitable than the other. In this article, we’ll be exploring Quantitative and Qualitative risk analysis.

How much does downtime cost your organisation? Find out with our Downtime Calculator

Quantitative Risk Analysis

A Quantitative Risk approach adds costs or monetary value to the risk allowing you to easily see a cost-benefit analysis of any mitigation process.

For a Quantitative Risk analysis to work, each asset must have an asset value (AV) attached to it. By carrying out threat modelling, we will calculate the likelihood and consequence of a threat or vulnerability occurring.

By scoring your “likelihood” on a scale from 0 to 5, with 0 being highly unlikely to happen and 5 being certain to happen, this will give you a number to work off. Similarly, this can be done with “consequence”, with 0 being no effect on operations and 5 being a complete stop of operations.

These two numbers added together will give you a total amount which you can compare with your risk table. Example below:

Risk Level

Totally Acceptable RiskLow<=5
Acceptable RiskMedium6
Transferable / Mitigatable RiskMedium7
Must Mitigate RiskMedium8
High Priority to Mitigate RiskHigh>=9

This number will give you your exposure factor (EF). The Asset Value (AV) times the Exposure Factor (EF) can be used to give the organisation the Single Loss Expectancy (SLE) of any threat occurring or vulnerability being exposed.

AV x EF = SLE

An organisation can use the Single Loss Expectancy (SLE) times the Annual Rate of Occurrence (ARO) to get the Annual Loss Expectancy (ALE) of a risk occurring.

SLE x ARO = ALE

By comparing the results of different threats and vulnerabilities, you should be able to understand which risks are more relevant and justify it to the board. By putting the results together into a chart, it becomes easy to visualise and compare risks, as seen below.

Risk Register Chart Likelihood Impact
Risk Likelihood and Impact Chart

Knowing how to report these topics at a board meeting is also a vital part of the Risk Manager’s role. That could be especially hard if addressing Cyber Security risks. Should you need any help with it, read Preparing for an Audit and Discussing Cyber Security with the Board.

Qualitative Risk Analysis

Not all risk is tangible, therefore putting a cost on every asset may not be viable. In this case, an organisation should use a Qualitative Risk approach to review risk which might affect the reputation of the company.

A qualitative approach is a lot simpler and focuses more on business-critical operations than cost. It’s based on a subjective analysis, which can be done by scoring the risks of your assets as low, medium and high based upon the criticality to the business. This will give you a quicker indication of the required protection methods that need to be in place.

There are many different techniques and tools an organisation can use to calculate its qualitative risks like the Delphi technique, brainstorming or storyboarding.

Some organisations use a mixture of Quantitative and Qualitative risk analysis to cover both tangible and non-tangible assets. This is a very mature approach and safeguards the organisation both financially and reputationally.

Next Steps in Understanding and Addressing Risk

It is vital that the governance structure of an organisation understands the risks to their company to realistically implement controls to mitigate the risk. It is the responsibility of the organisation’s board members, C-level and stakeholders to understand the risks to their company.

The entire organisation must be examined in the Risk Assessment and Analysis process. The assessment must identify all assets and their value to the organisation, as discussed in detail in this article. The Risk Analysis process will evaluate the probability of a threat or vulnerability being exploited.

During the risk analysis process, the organisation’s governance structure should ask itself, “what will it cost us if we do nothing?” The Total Cost of Ownership (TCO) is the total cost of implementing a safeguard, and this must match a Return on Investment (ROI) for the controls. Otherwise, alternative plans for mitigating the risk should be considered.

There are different ways to address or mitigate risks, and we discuss them in more detail in our article Developing an Action Plan to Address Technology Risk. Before deciding to tackle threats directly, the organisation must determine the business impact of these exposures and identify the cost versus benefit of the mitigating controls.

Risk Management is a complex topic, so help yourself with our series of content and tools available in our blog.

If you need specialised help to guide you through this process, Book a Call with us. We have the expertise, the tools and the systems to make the risk management process simple and automatic.

Thank you for reading!
Follow Spector on our Social Media channels for more exclusive content.
 

Business Continuity – and Why it Matters During Covid-19

business ready for coronavirus - you may need business continuity planning for remote workers
Photo by Dimitri Karastelev on Unsplash

Estimated Reading Time: 4 Minutes
Written by Aaron Nolan
As the Covid-19 virus epidemic continues to spread across the globe, the number of organisations and institutions forced to close their doors continues to rise daily. The long-term impact of the Coronavirus on businesses and the economy is yet unknown, but your organisation should do everything possible to mitigate the risk and ensure business continuity.

The key priority here is to contain or eradicate the spread of the virus so, therefore, protecting your staff, your most valuable asset. To this end, it may be necessary for your organisation to close the premises and require that employees work from home.

What is Business Continuity – and why does it matter in the Coronavirus outbreak 

The goal of Business Continuity is the ongoing operational uptime of the business in a time of disaster until normal business conditions are back in place. Planning for business continuity is vital to maintain the continuous operation of the organisation in the event of an emergency.   

Moreover, a robust business continuity plan will consist of much more than simply telling people to work from homeThere are multiple factors that need to be considered and discussed beforehand. Most businesses are not ready to request that from their staff, as there is no structure in place to allow them to be productive remotely. 

The Covid-19 virus pandemic brings business continuity into sharp focus. Now is a perfect time to build and test the resilience and the Business Continuity Process for your organisation.

Questions that every organisation should be asking themselves now:  

  • What is the risk posed by Coronavirus to my business and employees? 
  • How long can the organisation sustain downtime? 
  • Can my organisation survive 14 days (self-isolation period in case of a Coronavirus infection) of remote working?  
  • What can I do now to limit potential downtime?   

How much would one hour of downtime cost you? Discover with our Downtime Calculator

Mature and risk-averse organisations should already have these contingencies in place to limit downtime and to mitigate potential financial loss. If your company has not got controls in place, consider the following controls as efficient preparation wins to prepare in the event of an emergency closure.  

Business Impact Analysis

It may be too late for most, but a Business Impact Analysis (BIA) is one of the first steps your company should consider. A Business Impact Analysis is a review of all Business-Critical Operations, risk assessing them in the event of a worst-case scenario.  

A Business Impact Analysis should be implemented by the Management Structure within an organisation and should include senior management and representatives from all departments of the business. 

The easiest way to assess the risk to your business is to identify critical functions and supporting assets in your organisation. Once a company has identified its business-critical assets, the next step is to ensure their availability and continued ability to run.  

If you haven’t yet identified your critical assets and risks, read:
Building your Asset and Risk Register

Face masks to avoid coronavirus
Photo by Macau Photo Agency on Unsplash

People 

A Business Continuity Coordinator should be nominated, and all employees should be trained or at least made aware of the Business Continuity Process. It is the responsibility of senior management within the organisation to ensure the training and education of all employees is complete. 

Process 

In the event of your organisation having to close due to an emergency, there should be procedures and guidelines available to all staff to let them know what to do. Documentation such as an Incident Response Plan, Business Continuity Plan and a Continuity of Operations Plan should be available for all staff in the event of the organisation closing.  

Your employees should know where these documents are located whether that be on a local file server or hosted in the cloud. We call this a disaster recovery war chest. 

Technology 

The first thing to consider is, does every employee have access to a laptop or home PC? If so, does each computer comply with the company’s network access policy? And finally, does the device have a VPN set up in order to gain access to business applications and data remotely?  

It is also highly advisable to consider moving critical files to cloud-based storage, such as Egnyte or SharePoint. This will allow access to these files from anywhere, and on any device without the need for complex VPNs.  

Putting Business Continuity into Practice 

Having a robust Business Continuity Plan in place will allow you to be prepared not only for the Coronavirus outbreak but every major risk factor that could potentially affect your organisation. A Business Continuity Plan should be able to address situations like fire, floods, physical invasions and the vast number of Cyber Security risks – which although seemingly less dangerous, could be just as disastrous for a company.

One of any such disasters could cause anything from financial damage to a vital failure leading to business closure. Having contingencies in place could determine the difference between your business shutting its doors or thriving. 

Now that you are aware of the importance of these procedures, you can prepare your plan and avoid the incoming damage poised by external threats. Should you need assistance and professional advice, feel free to Book a Call with us.

Thank you for reading!
Follow Spector on our Social Media channels for more exclusive content.
 

Financial Services Guide: Managing Technical Risk With NIST

NIST for financial services organisations the complete guide by spector.

A Guide for Financial Services and Regulated Firms

Dealing with risk is complex, and that level of complexity tends to escalate when addressing technology risk. Most people, including experienced risk managers, feel intimidated by the amount of technical detail involved. After hearing the concerns of many customers and partners, we decided to put together this guide on how we succeed in the challenge of managing technology risk

Today you will learn of a framework and a set of tools that will make the task of addressing technology risk feel achievable. By leveraging the NIST framework, you can build a Risk Management system that will allow your business to reach top-level security and compliance. Plus, the best part: it’s easy to understand and verify progress.

We will be explaining what NIST is, how it works, and how you can begin implementing it in your organisation. The benefits are evident for companies in the Financial Services industries or for most businesses that operate in highly regulated spaces. However, the advantages of a robust risk management system and a cyber security framework are universal and will help all types of businesses thrive among today’s threats.

Click on the links below if you want to skip to any particular chapter and follow the links within them to dive further into more detail.

Understanding IT Cyber Security Risk

By now, businesses across the globe know that their IT infrastructure is at risk from attacks or breaches from cyber criminals, no matter how large or small they are, or what they offer.

For financial services organisations, it’s even more important to be aware of the risks and to come up with a plan to prevent and resolve any issues arising from an attack. When you hold a client’s financial information or provide a platform for people to save and move money, you want to ensure that that plan is as robust as possible.

It’s important, however, to understand first that there is no such thing as perfection in cyber security, and risk management is not a race, it’s an ongoing process of improvement.

Knowing that risk is something you’re always going to have to deal with means that you can regard it as an opportunity and allows you to be proactive in your approach to data protection and security. You don’t need to be an expert technician to avoid IT risk – it’s all a matter of asking the right questions.

In order to protect your business and its data (as well as that of clients and suppliers) and to ensure you’re compliant with financial regulations, you need to build a cyber security framework.

Image for blog on Guidelines, Frameworks and Standards
Photo by Rikki Chan on Unsplash

NIST is one of a number of frameworks, but it’s simple to understand and can be adjusted and applied to the IT systems of any company, no matter what their size. The business can then develop a cyber security system entirely tailored to their needs.

Still not sure about the usefulness of a framework? Read the following article:
Understanding Guidelines, Frameworks and Standards (from a Governance Standpoint)

NIST starts with a basic assessment of where a company is and where it wants to be. Understanding the difference between the current and desired state should help companies to carry out a gap analysis, to define their target risk profile and produce a risk assessment.

It’s important that careful consideration is given to the threats and vulnerabilities specific to financial organisations.

What is NIST?

The National Institute of Standards and Technology (NIST) has developed a Cyber Security Framework which they define as: “a policy framework of computer security guidance for how private sector organizations can assess and improve their ability to prevent, detect, and respond to cyber attacks.”

Once the assessment process is complete, NIST provides a risk-based action plan and cyber security insights that are appropriate for both board and executive-level review and implementation. The information generated is also easily quantifiable.

The NIST process is made up of three stages, each building upon the other to help a business to assess its current systems and draw up a plan. It includes five functional areas to consider: Identify, Protect, Detect, Respond and Recover. We will dive into more detail on these areas shortly.

NIST Cyber Security Framework five functional areas - Identify, Protect, Detect, Respond, Recover
Original NIST core framework

 

How can NIST Help Financial Services Organisations?

The NIST Framework helps companies to: ‘better understand, manage, and reduce their cybersecurity risks’. Completing the assessment means you can identify your individual priorities when it comes to cyber security and business continuity.

NIST is internationally recognised and designed to be shared with all employees, as well as with suppliers. Rather than making cyber security the responsibility of the IT department alone, the framework helps senior managers to communicate the importance of keeping data safe.

It also helps you to stay GDPR compliant. Since the legislation was introduced in 2018, all companies holding customer data must be proactive about how they safely store and remove that information. Anyone who falls foul of the regulator faces large fines.

Going through the process helps you to assess your current IT systems and allows you to fix any gaps, reducing your chances of data being compromised. It also means that if anything does go wrong, you’re prepared for it and can implement your continuity plan.

For more in-depth information about the NIST CSF, visit the official website or ask us in the comments section at the end of this page.

Applying the Framework

As we mentioned above, the NIST Cyber Security Framework is comprised of three sections. To help you get started, here is a quick explanation of what each of these is and how they fit in.

The Framework Core

The Core is designed to give you tasks to work through to help you reach the cyber security outcomes that you’ve identified as being necessary for your business. Within the Core, you can add references to where readers can find additional information on best practices, procedures and industry requirements.

The Core is written in clear, straightforward language so that it can be easily understood by anyone at any level within the organisation and doesn’t require a knowledge of technical jargon.

To make it easier to assess your needs, the Framework Core is spit into five functions, as mentioned above, which are: Identify, Protect, Detect, Respond and Recover. NIST recommends using all five together for a ‘high-level, strategic view of the lifecycle of an organization’s management of cybersecurity risk’.

NIST Cyber Security Framework key areas
NIST Core Framework Areas

Identify: The first step is to get an overall picture of the business, the resources available to support critical functions and the potential risks to data, assets and systems. Once these risks have been identified, you will then be able to create a strategy for use throughout the business to prioritise and manage them appropriately. Things to consider at this step include governance, the business environment and asset management.

Protect: The next step is to develop safeguards to make sure your company can deliver critical services. NIST suggests giving thought to data security, protective technologies, access control, awareness and training and identity management. Also include an implementation plan for the safeguards.

Detect: This function is designed to help you detect cyber security events in a timely manner and develop processes to do so effectively. It’s recommended that you include continual monitoring of systems and security, as well as how to identify anomalies or other changes.

Respond: NIST says that this function is intended to make sure you have the ability to contain the impact of a cyber security incident, should one happen. Take into account response planning and communication, as well as what to do afterwards, including analysis of the incident, mitigation and possible improvements that you can make to prevent an attack in future.

Recover: At this step, you’re working to map out your recovery plan and the improvements you’ll make for the future, as well as identifying how you’ll communicate this across the organisation. The key priorities here are to be able to get back to normal operations as quickly as possible in the event of a cyber attack and how to restore any services that were affected during the attack. Business resilience is important at this stage.

Within the Framework Core are underlying key Categories and Subcategories (outcomes). There are 23 Categories which are mapped against each of the five Functions outlined above. These include suggestions for cyber security objectives, such as personnel education. Think of them as brief topics you can include to help you reach your business outcomes.

NIST Cyber Security Framework Categories
NIST Categories

Next, there are 108 Subcategories, which NIST describes as: “outcome-driven statements that provide considerations for creating or improving a cybersecurity programme”. These can be amended to suit your own requirements.

NIST Cyber Security Framework Subcategories
NIST Subcategories

NIST Framework Implementation Tiers

The next section of the Framework covers the Implementation Tiers. The four tiers assess how an organisation views cyber security risk and what processes it has in place to manage that risk. The Tiers are used to decide how a business is prepared for and will respond to a cyber breach or attack.

NIST Implementation Tiers Scoring System
NIST Implementation Tiers
  1. Tier 1 – Partial Implementation: At this level, businesses have minimal awareness of the risks they face. Planning and implementation is inconsistent, and they take an ad-hoc and reactive approach to cyber security.
  2. Tier 2 – Risk-Informed: Here, companies are aware of the need for cybersecurity measures and have some idea for what these should be, but aren’t implementing them regularly. While they have plans and resources to protect themselves, they aren’t proactive.
  3. Tier 3 – Repeatable: This tier refers to companies which have implemented the Cybersecurity Framework across the board, apply policies consistently and communicate fully with employees at all levels so they understand the potential risks and the steps to take. The word ‘repeatable’ means that the business is able to respond to more than one crisis that may occur.
  4. Tier 4 – Adaptive: At the final stage, businesses have fully integrated the Cybersecurity Framework into their processes. Not only are they equipped to respond to and deal with threats, they are proactive with detecting them. They can also predict any issues based on the IT systems they have in place and any current trends.

Further below, we will provide a simplified tool to help you evaluate your current practices and understand where your business stands among these Tiers. It’s helpful to know that they don’t necessarily reflect your business maturity (although if you’re at Tier 1, moving up is recommended).

Instead, the Tiers should be seen as a way to help you manage risk, your priorities and how you can improve cyber security and progress to the next level at the right time for your company. They help you move from being reactive to proactive in terms of responding to risk.

As for your target profile, choose a Tier that reflects your desired outcomes and is achievable. You must select the appropriate Tier considering your ideal risk management practices, any legislation and industry regulation requirements (essential for financial services) as well as any obligations you have to others in your supply chain and any constraints that may exist.

NIST Framework Profile

The final stage is the creation of a Profile which is unique to your business. It is based on your objectives and requirements, the level of risk and the priorities you identified at the Core stage. It’s built using the Categories and Subcategories that you’ve chosen as being important to help you build a robust cybersecurity plan.

One advantage of spending some time developing a Profile means that, once you’ve assessed where you are now (Current Profile) you can start looking for ways to improve your cybersecurity and move to where you’d like to be (Target Profile).

Any gaps between Current and Target Profiles mean you can develop a plan to resolve them, based on what’s most important and time-critical to ensure your systems are protected.

Within this, factor in any other business needs, such as staffing and resources, costs, future planning and overall goals and other outside influences (such as changes to legislation or technology). Plan how to communicate the Profile and the goals to internal staff and external suppliers.

Learn where you are – Estimate your current NIST Profile

To get you started, we have developed a simplified self-assessment tool that you can use to evaluate your business and identify your current and target profile. By using this tool, you should be able to have a better practical understanding of how useful NIST can be. Keep in mind that it doesn’t cover all bases normally addressed by the framework, especially since we have shifted it from a levelled approach (1-4) into a “yes or no” approach to keep things simple.

Download the NIST CSF Simplified Self-Assessment Tool

Watch the video below for a detailed explanation about how to estimate your NIST profile and use the tool.

Strategy and Delivery to Implement the NIST CSF

The NIST Cyber Security Framework will then allow you to move on to analysis and planning and delivering your strategy. At this stage, you are working to identify your target (ideal) cyber security system and assess the current situation to see where there are gaps and what your business needs to do to hit the target.

Remember, completing the NIST Cybersecurity Framework is not enough on its own. While it will help you think through your security needs, you need to decide what steps to take next.

Once you’ve clarified your current cyber security position, your Target Profile (see above), identified any gaps and decided how to resolve these, you can move on to putting together your plan.

Don’t forget to include any legal requirements (such as GDPR) and industry regulations you may need to consider. Here are some other things you’ll need to think about:

Complete a Detailed Asset Register

An asset register (sometimes called a fix asset register) is a record of every fixed asset you have in your business – anything that you use to generate revenue. It includes computers and other devices, vehicles, machinery and equipment, buildings and land.

You can record and track your assets however you wish, but an electronic list in a spreadsheet or similar is ideal because you can share it across teams or department heads who need to be able to access and update it.

It’s also important to review your asset register and keep it current, so allocate a regular time to review it, whether that’s quarterly or six-monthly. The register tracks the value of all the fixed assets within the business, if it works, and its location. You’ll need to work out asset depreciation at the end of each financial year too.

It’s up to you what information you include on your asset register, but at the minimum, note its name or give it a description so you know which item you’re talking about. Include serial numbers or other identifying numbers.

Risk Register
Photo by Green Chameleon on Unsplash

Add how much each asset was bought for and when and its original purchase price, the depreciation and current book value. You might want to include service history or if it’s a vehicle, if it’s been repaired/ or last had an MOT.

Assign an owner to each asset, and where appropriate, allocate a risk weighting. A risk weighting is essential for banks, as it enables a calculation to determine its capital requirement and to reduce the risk of insolvency. Different classes of assets have different risk weightings applied to them, as some are riskier than others.

Depending on the asset, its risk will be assessed using the most appropriate tool. A calculation should also be done to calculate interest that may be charged, and the rate of return.

For more detail and practical examples of how to build your Asset and Risk Register,
read our article:
Building an Asset and Risk Register to tackle risk

Building a Risk Register

A risk register is a way of plotting the impact of any given risk over its probability. A scatterplot is the usual method of presenting the results, with impact across the X-axis and the likelihood of it happening on the Y-axis. The risks are then all marked on the graph. You can also use specialist software to track the risks.

Risk Register Chart Likelihood Impact
Risk Likelihood and Impact Chart

The register also includes any other relevant information about each risk, such as its owner, the nature of the risk, and what, if any, mitigation measures are in place, and any contingency plans. It also discusses what impact a risk will have, and how likely (probable) it is that the risk will happen. Similar risks can be grouped together.

To help you visualise and build your risk register, we have acquired a Sample Risk Register and made a video with instructions and practical tips on how to insert and organise your risks onto the spreadsheet. You can access both below:

Download Sample Risk Register

Watch our Web Class below on how to complete your Risk Register

Set an Action Plan to Address Technology Risk

The information you’ve gathered while completing the NIST Cyber Security Framework should clearly show what your next steps are. Decide and agree on the actions the business needs to take across the next 12 to 24 months.

Set milestones for when you’ll change or update your security systems, how and when you’ll move from your Current to your Target Profile, and how you’ll track your progress. Include review dates for each step, and make sure you clearly communicate the plan and how it’s progressing with everyone within the organisation.

Knowing how to address your main risks is also crucial in improving your business profile, and there are different ways to do it, depending on your budget and priorities. For example, a risk can be tackled straight on, it can be outsourced, insured or even ignored. Everything depends on how significant the risk’s impact, costs and probability are, and all these factors should be considered when preparing your Risk Register.

For more information on how to build your action plan and address risk, read:
Developing an Action Plan to Address your Technology Risk

Collecting and Storing Evidence of Compliance

A crucial, yet commonly unappreciated, part of this process is to gather and store evidence of your activities along the way. To be compliant, you must be able to prove that you are compliant. This is where the evidence-gathering process begins, and it should function in parallel with your efforts to tackle risk.

There is a multitude of procedures, policies, systems and tasks that support this effort. We recommend utilising tools and specialised services to make this process automatic and as easy as possible.

The key take away from this chapter is that it supports the next stage – The Audit process. By maintaining this evidence, you can decidedly prove to an auditor that your business has been compliant with best practices and takes this task seriously.

For more information and details on the tools and methods we recommend, read:
Before the Audit: Gathering Evidence to Prove Compliance

Develop the Risk Management System

Next, you’ll need to develop your risk management system. The system will not only advance your technology infrastructure but will allow your organisation to improve in other key business areas and evolve in maturity. The company will run like a well-oiled engine, with processes and procedures supporting activities.

Below, we explain how the NIST Cyber Security Framework can assist in developing some of these areas.

Governance
Most government requirements are covered in the ‘Identify’ function, which is stage one of the Framework Core. Other requirements will come under the relevant headings, such as ‘detect and respond.’

Cyber Security 
Cyber security is tracked across all five of the Core areas, with the main controls included in Protect and Detect. It’s a good idea to take into consideration the CIS 20 controls.

The Centre for Internet Security Critical Security Controls for Effective Cyber Defence is a guide to best practice for computer security. It consists of 20 key actions which serve as guidelines for organisations to take to block attacks. and are known as critical security controls (CSC).

Business Continuity Plan (BCP) 
This is covered across all functions, particularly the Recover function. A BCP is essential for all businesses, but particularly for financial institutions. Having a robust continuity plan in place means you can be prepared in case the worst happens.

It means you can continue with business as usual while data is restored or cyber threats are dealt with, enables you to communicate with your customers, staff and suppliers and ensures that everyone knows what to do to help the business operate properly.

Outsourcing 
Is covered within the Identify function and falls under the category of Supply Chain Risk Management. It’s essential that if you are part of a supply chain, your business is not vulnerable to external risks which could compromise not only your systems but those of everyone else in the chain too.

If you decide to purchase new technology, make sure it’s compatible with your existing hardware and software, it can be secured against data breaches and that it’s installed by the in-house IT team or your external support partner.

For more insight on outsourcing, read: Outsourcing Policy – Governance, Risks and Preparations to consider

Framework
Photo by Marius George Oprea on Unsplash

ISO Standards
As with other aspects of business, ISO standards apply to cyber security frameworks, although of course these vary depending on industry. ISO 27001 is a general standard for Information Security Management Systems and sets out explicitly how this should be controlled.

ISO 27002 includes the BS 7799 good security management practice standard, which outlines the best practice for cyber security management, and operates as a high-level guide. It’s most helpful to use it as guidance for management looking to achieve ISO 27001 certification.

For financial institutions, having ISO 27001 certification is hugely beneficial. As they hold so much personal and financial information on clients, often across devices and locations, they are particularly at risk from cyber-attacks.

Holding the ISO certification demonstrates to customers that the institution is committed to security, confidentiality and protecting their data, and are proactive in doing so. In the post-GDPR world, this is more important than it’s ever been and will help you stand out from the competition.

ISO 27001 and the NIST Cyber Security Framework have many similarities and overarching areas. This is a good thing, as if you are looking to adopt the framework or achieve the certification, you can transition from one to the other without dissipating your efforts. To learn more about which of these models can be more beneficial to your business, read our article ISO 27001 versus NIST: why choose one?

Preparing for an Audit

Financial Services organisations and companies operating within regulated industries are familiarised – and often terrified – with the concept of an audit. Utilising NIST and a risk management system, this process should become much more straightforward and painless.

An audit is a vital process for identifying fundamental weaknesses in your company’s formal procedures or cybersecurity architecture. It is not a name and shame process; audits exist to help you grow. Internal audits could potentially be just as effective, but the added pressure from an external auditor is what usually closes the gap between an organisation’s plans and actions.

However, as relevant as cybersecurity audits are, many companies are not very well prepared for them. Learning what do you need and how to behave in a review will bring more peace and efficiency to the procedure. The critical lessons are:

Communicate with the auditor: Speak to the auditor before and during the process, so you can both be as clear as possible on what is needed. Know the scope of the inspection, and what people, tools and reports will be required to have them available when requested.

Prepare in advance: The more time you prepare for this process, the less time the auditor will need to be in your site. Study up on the applicable regulatory standards prior to the audit, prepare your files and docs in an easy to read format, and be ready to show a register of your assets.

Don’t be afraid: the auditor is not your enemy, and the sole fact of changing your perspective towards this figure may show some significant improvement in your relation and process. Ask him to let you know of any significant issues as they arise, and be sure to ask for advice, as your problems will likely not be exclusive to you and there might be simple solutions available.

For more in-depth insights on being audit-ready, read:
Preparing for an Audit: How to tackle Cyber Security and discuss it with the board

Auditor getting ready for inspection
Photo by Hunters Race on Unsplash

Dealing with the Board

Apart from dealing with the auditor, it’s equally important to report progress to the board and make sure that the goals and actions to attain these goals are fully understood and supported by them.

Educating the board about the relevance and role of the tech infrastructure of your business is an excellent place to start. It would be best if you also kept things as simple as possible, as this will likely be only one amongst many items in a list to be discussed by the board members.

One of the main advantages of the NIST framework is that it can demonstrate progress with its uncomplicated ranking system. Any non-technical person or board member should understand and learn about what are the most critical areas.

We talk about the guiding principles for board reports, as well as some of the key questions to help identify and develop cyber security metrics in this article.

Maintaining the Risk Management System

As we said at the beginning, cyber security is not a once-off event; it is an ongoing process which needs to be continually monitored and improved. It’s not something that you can set and forget or leave to the IT department to manage.

Regular reviews of the systems in place using the NIST Framework should be agreed amongst the senior management team. Track examples of best practice and highlight areas for improvement, and make sure you communicate the results with the rest of the organisation.

The system can be maintained and handled by yourself, with enough discipline and by utilising calendaring tools. In this case, you will retain all of the documentation, evidence gathering and calendaring of reviews (such as backup tests, incident management etc.) using a centralised document management solution such as Sharepoint or Microsoft Teams.

However, depending on the size or complexity of your organisation, we would recommend hiring a specialised solution to facilitate this process. It will need to support the NIST Cyber Security Framework and provide you with the outputs that you need.

There are some excellent Integrated Governance, Risk and Compliance tools out there, all with their own strong points. At the very minimum, it needs to manage the tasks, repeat reviews, document and evidence gathering as well as provide detailed and executive progress reporting.

It makes the whole process from Vendor evaluations to day to day tasks management and compliance control way simpler.

If you consider specialists’ help and tool, you must understand the value it will bring to your business. Being secure against threats, audits, and with a future-proof structure and strategy that fits your business’ unique characteristics are the outcomes that you seek. Depending on how much knowledge you have obtained about your tech infrastructure structure, we are able to suggest an appropriate solution.

Photo by Blake Wisz on Unsplash

How Can We Help – Implementing NIST into your Business

Here at Spector, we have two basic service offerings in this area: the Gap Analysis and the Cyber Security Programme.

We usually recommend companies to begin with the Gap Analysis, as it will provide us with more knowledge of your setup and a clear direction for your needs. This service consists of a project to analyse and identify the most critical vulnerabilities in your structure. It can be done in a short period by our team, causing minimal disruption. To learn more about how it works and what is involved, read our Gap Analysis brochure, available on this link.

The Cyber Security Programme, on the other hand, is the following step after the Gap Analysis, and it will address the actual mitigation of your risks and development of your structure on a continuous basis. We will lay our tools and resolve the most urgent issues, to then initiate new projects to reach your business goals. This allows us to close the gap between desired and current state. If you want to learn more about this stage, we have information available on this link.

Both solutions will help turn this daunting process into an automatic and uncomplicated job. If you have questions, feel free to Book a Call with us. We will be happy to learn about your challenges and figure the best solution.

Thank you for reading! If you have found value in this content, please share it with others who may feel the same way. Follow us on Social Media for more exclusive content.

Before the Audit: Gathering Evidence to prove Compliance

Before the Audit - gathering evidence to prove compliance
Photo by Maarten Van den Heuvel

Estimated Reading Time: 4 Minutes

One of the core elements in a mature risk management system is gathering evidence of your ongoing activities. To be compliant, you need to be able to demonstrate compliance, and the best way to do that is to collect and store evidence of your activities and have them ready to be verified during an audit. If you can do this work consistently before the audit, your job when dealing with an auditor will be made considerably easier.

In this article, we will explore some of the core elements involved in this process and some tools and methods to make it more straightforward. There is a multitude of procedures, policies, systems and tasks that support this effort.

These include but are not limited to:

Security policies

At Spector, we consider security policies an essential item for protecting your technology infrastructure – even more than the actual tools that will monitor your structure. They will define how users should behave, and if well implemented, should stop people from putting themselves in danger.

These policies will act as the base that sustains the system, so it’s essential that they are in place and reviewed every two years. We use between 17 and 23 policies with our clients, depending on their requirements. Our system will then gather evidence and save them as screenshots to support the implementation of these policies and controls.

Scheduled tasks with clear accountability

If you have designed an Action Plan to address risk or reach compliance, this plan should have originated a number of tasks and activities that must be performed for your business to attain its goals.

This can include all minuted meetings, preparation for board reports, backup testing, verification of security controls against known norms, etc.. Tasks should be put into a calendarized system which creates automated workloads for responsible bodies.

Every task should have an owner, and there should be one body overlooking the entire process – a Risk/ Compliance Officer. Evidence should be gathered regularly to ensure controls are still in place. If tasks don’t have a completion date, they usually fall on the back burner and never get done.

Reviews of logs

It can be done on a timed basis or using automated discovery tools and modern SIEM (Security Information Event Management) and vulnerability solutions that report issues in real-time. Technology can be a huge help here. In particular evidence of real-time activity. Running annual vulnerability tests might tick boxes but is no longer enough to be considered best practice.

Photo by Beatriz Perez Moya on Unsplash

Managing security incidents

It’s futile to pretend that incidents will never happen, as there is too much uncertainty in today’s scenario, along with the human factor to take into consideration. Reporting and demonstrating how you discover, handle and remediate these incidents is crucial to show stakeholders and auditors that you can address them effectively.

Preparing reports after a security episode is usually recommended and will help the organisation understand how the incident happened and how to stop it from happening again.

Change management

Making sure that you document your approach to change management in terms of risk. Imagine the deployment of a new CRM. Where will the data live and how does the solution provide clarity around current Data protection legislation? These considerations are evidence of proper planning.

Building a System to Manage Risk and Compliance

We like to think of this system as an organic entity. It grows and changes as the environment changes. There are many ways to handle this process of system building and evidence gathering. We use a risk management platform to assist us with our efforts, but we have clients that successfully manage the system by using calendaring solutions.

Tools to help in Gathering Evidence

There are a wealth of tools that can help in gathering data. These come in different flavours.

Tools that are run at a point in time – Vulnerability assessment and Pen-testing tools such as Qualys, Nessus, Rapidfire Tools. All have their place and discover different levels of details about the potential vulnerabilities in your environment.

Tools that run 24/7 – Now this gets more complicated. This is where current endpoint security and AI protect and detect solutions start to cross over with modern SIEM solutions. SIEM used to harvest log data to be analysed periodically.

Modern SIEM uses AI and inbuilt vulnerability capabilities as well as integration with key security products to provide a 360 real-time view of incidents. Players such as Netsurion have fantastic platforms that extend their solutions and staff right into your organisation at a fraction of the price of manning your own Security Operations Centre (SOC).

Using the Evidence in your Favour – Preparing for the Audit

The key take away from this chapter is that it supports the next stage – The Audit process. By maintaining this evidence, you can easily prove to an auditor that your business has been compliant with best practices and takes this task seriously.

We recommend utilising tools and specialised services to make this process automatic and as easy as possible. Our suite of tools enables full visibility for an external or internal auditor while maintaining data protection and governance. It can reduce an auditor’s time significantly on-site, and consequently, the stress of business owners.

Next Steps

The next part will address how to get Audit ready and report your progress to the board using the tools and knowledge you already got. If you want to turn this daunting situation into a stress-free, automatic process, then talk to us and keep reading our compliance and risk management content in our blog.

Thank you for reading.
Follow Spector on our Social Media channels for more exclusive content.

Your Outsourcing Policy: The Risks and Considerations

Bridge connecting two buildings
Photo by John Towner on Unsplash

Estimated Reading Time: 4 Minutes
Written by Aaron Nolan

Outsourcing involves the transferring of responsibility for activities to an Outsourced Service Provider (OSP). Outsourcing has become an increasingly common practice in today’s world, as it brings to businesses the benefits of reducing costs, increasing scalability and allowing for the use of external expertise when required.

However, outsourcing is often not as straightforward as it seems, as there are many risks and factors to be taken into consideration.

An organisation’s board and management structure are uniquely responsible for the risks involved in outsourcing. Should anything happen as a result of outsourcing business-critical functions, the board and its management will be held accountable by their governing body.

Before deciding to outsource part of your organisations critical business functions to an OSP, several things should be understood and pondered. This article will provide a brief overview of the crucial factors to be considered, which hopefully can help you make a more informed decision.

Looking for specific information on outsourcing your IT management? We have more details on the article: Does Outsourcing Technology Support Really Work?

Awareness

The Board must be aware of what needs to be outsourced and what can be managed internally. Are there enough resources to keep certain functions in-house? Is it feasible and beneficial for the business? Keeping things in-house has its benefits, and will allow for direct manipulation of activities. However, without awareness, it can sometimes be just as faulty as outsourcing and not having controls in place.

A cost vs benefit analysis should be carried out before outsourcing a business-critical contract. This should then be followed by a risk assessment of the outsourced function. This reflection exercise will give senior management a much broader view of the risk involved in outsourcing this function. By doing this, it should become easier to understand which functions should be prioritized or how the budget can be assigned.

Once the board and senior management agree that a function is required to be outsourced, they should go about understanding the Maximum Tolerable Downtime (MTD) of this function. Maximum Tolerable Downtime is the maximum length of time a business function can be down without causing irreparable harm to the business.

The organisation should then set about looking for an Outsourced Service Provider who guarantees that their Recovery Time Objective (the time it takes to restore critical functions) is less than their MTD. This means, in short, that a business’ expectation must meet the outsourcer’s promise for the relationship to work.

Only when both organisations understand and agree on the relevance of these functions, they can potentially engage in business. These Service Level Agreements (SLA) should be written into contracts and reviewed regularly.

Risk
Photo by Hal Gatewood on Unsplash

Risk

Before outsourcing a business function, an organisation should go about doing a due care and due diligence process on the function and the providers. A risk assessment should be carried out on a provider before outsourcing any business functions. An organisation may use a tendering process or use the MTD mentioned previously as an indicator of the provider’s ability to meet its required SLA.

Once a service provider has been selected, the organisation should add the Outsourced Service Provider to their internal risk register or a list of third-party providers for regular review to ensure SLA’s are being met.

To learn more about risk, read: Understanding and Calculating Organisational Risk

Business Continuity Management

When an organisation decides to outsource business functions, it is their responsibility to ensure that SLA’s are tested regularly. There is no point in having Recovery Time Objectives and Recovery Point Objectives in place if they are not tested at least once a year.

Sometimes backups fail, system patching isn’t always up to date, and changes to infrastructure are not always recorded, resulting in the BCP process taking longer than expected. Therefore, it is vital to test your business continuity plan as regularly as possible.

It is also critical for the organisation to implement an exit strategy with any service providers to ensure a smooth transition to another provider and return of any data held by the service provider. This could easily become an obstacle for business growth if left unchecked.

In Conclusion

With the ever-evolving advancements in technology making businesses more efficient, it has become more and more necessary to outsource functions due to the lack of in-house knowledge.

Outsourcing functions increase the scope of a business, but will also increase exposure, risks and the challenges for compliance. Tasks such as mapping the data flow and having full visibility of the suppliers’ activities can become extremely complicated.

Regulatory requirements like GDPR force boards and management to understand and protect their data. It is critical for the organisation’s senior management to have awareness and understanding of the scope of its business – especially if choosing to adopt a framework, guideline or standard.

Once the organisation understands its scope, it can then go about addressing the risks of not only its internal functions but now its outsourced functions. These outsourced functions should be tested regularly to ensure SLA’s are being met and critical data is being backed up.

If you are looking for yet more detail on the major risks and factors related to outsourcing policies, we recommend reading the following whitepaper from the Central Bank of Ireland: Outsourcing – Findings and Issues for Discussion.

Thank you for reading, and for more compliance and business advice, visit our blog.
Follow Spector on our Social Media channels for more exclusive content.

eBook | Your Tech Transformation Roadmap for 2020 and beyond

Photo by Jakob Owens on Unsplash

Digital Transformation and Technology Transformation are some of the latest buzzwords commonly used by business leaders as the next go-to investment to bring your organisation to the next level. However, this process is often not very straightforward and could easily go wrong.

Major technology initiatives, like the implementation of new enterprise systems such as CRM or ERP, can be intimidating. They are usually expensive, take a long time to complete, carry a high risk of failure and can be very disruptive to the company’s day-to-day operations.

Applications that focus on specific business functions such as scheduling software, while less costly, often come with their own set of challenges such as limited functionality and the need to integrate multiple systems.

Despite these challenges, companies that have invested in digital technologies are reporting increased productivity, lower costs and improved product quality. They are also better positioned to react more rapidly to market changes and have better growth prospects.

Digital Technology in the Centre of the Transformation Process

Understanding how technology applies to a company is fundamental for this process to work. Expectations and investments must be clearly aligned, and every change implemented must be meaningful and effectively adhered to.

If technology is not important for you, it won’t be the thing that changes your business. You can’t expect to witness Digital or Technological Transformation if core value-adding activities of your company aren’t integrated with tech.

To establish your priorities and define these areas, we recommend the creation of a technology roadmap.

A technology roadmap can help you move forward with confidence and purpose while avoiding costly mistakes. It will help you align your IT projects with your strategic priorities, plan for the long term, and define your needs and goals before investing.

Download E-Book: Technology Transformation – Building an IT Roadmap for 2020 and Beyond

Technology Transformation - Building an IT Roadmap for 2020 and Beyond | Free Ebook

The ebook will provide insight and guidelines for you to build a technology roadmap for your organisation. It covers the six steps you should take to prepare your business to what’s coming. If you need any help in this process, don’t hesitate to contact us.

Thank you for reading! If you have any questions or comments, please let us know in the comments below.

ISO27001 vs NIST Cyber Security Framework: Why choose one?

Framework
Photo by Marius George Oprea on Unsplash

Estimated Reading Time: 4 Minutes
Written by: Aaron Nolan
Standards and frameworks are implemented by organisations to have business alignment, adopt business best practice and adhere to industry regulations. Moreover, standards and frameworks outline security controls to help protect the confidentiality, integrity and availability of business-critical assets.

The firm’s Information Security Governance structure, which should comprise of top-level management, should ensure security controls are managed, monitored and measurable. The easiest way to do this is to implement an existing framework or standard. Two of such well-known frameworks are ISO27001 and the NIST Cyber Security Framework (CSF).

ISO 27001 and the NIST CSF framework approach information security and risk management differently, but the control measures for both are similar. The correct choice of framework for an organisation largely depends on their operational maturity, level of inherent risk, resources available and outside-pressure from clients and governing bodies. There is a significant overlap in the two frameworks to allow companies to implement controls which address risks within both. We will explain each in brief below.

ISO 27001

ISO 27001 is a globally recognised standard for information security management systems (ISMS). It sets out the requirements against an organisation’s ISMS which can be certified. Achieving certification requires an independent audited verification to ensure the ISMS are managed in line with the standard.

ISO 27001 requires the organisation to outline its cybersecurity program in a Master Security Policy, and then prove it is driven by the organisation’s governance structure.

The two critical steps of an ISO 27001 implementation are the risk assessment and risk treatment plan, which are better detailed in our article Building your Asset and Risk Register. These ensure adequate controls are in place for information assets, and that they are based on actual threats and vulnerabilities.

NIST Cybersecurity Framework

The NIST CSF is a risk-based framework developed for critical infrastructure sectors but has been adapted by organisations across all industry sectors. NIST does not provide a certification process, rather a well-designed framework to assist in establishing its Cyber Security maturity posture over the five business-critical functions:

Identify, Protect, Detect, Respond and Recover

Each of the core NIST functions is graded on a scale of 0-4, their higher scores outlining higher levels and degrees of Cyber Security maturity. This ability to provide an overall rating for an organisation’s cyber security posture makes it attractive. This way, Senior Management can quickly understand and appreciate positive developments in a risk improvement programme.

Use our Simplified Self Assessment Tool to view how your company performs in relation to the criteria used by the NIST CSF. Our GRC experts have also made a video explaining how to use the tool in more detail, which you can watch below:

With either of these materials, you’ll have a better understanding of how NIST works and of some of the topics you will need to address to obtain a good result and protect your business. Keep in mind this tool is based on a simplified version of the framework and does not cover the same width or depth.

ISO 27001 and NIST – Which to Choose?

As NIST practitioners and ISO 27001 lead auditors, we are commonly asked which approach is most appropriate to each client. The response depends on what you want to achieve as an organisation. If the eventual aim is to achieve and maintain ISO 27001 certification, then starting with that ISO27001 would seem obvious.

There is one caveat to that rule, though, and that is the current level of Cyber Security Maturity and Risk preparation of an organisation.

Where the NIST CSF truly comes into its own is for organisations that are trying to get a structured technology risk management programme off the ground. This is never more right than where such efforts may have failed previously. Such organisations tend to have lower NIST scores but have the Governance drive and desire to build a structured approach to building a Cyber Security maturity programme.

The NIST CSF will identify your current Cyber Security maturity levels and set out a clear plan to mitigate the risks by order of priority. It also helps rule out costly mistakes when making decisions about technology choices and budget by clearly identifying what is needed to address each risk.

Photo by Dayne Topkin on Unsplash

This makes the NIST CSF a good starting point, as organisations may progress through the critical areas needed to reach compliance and focus on the specifics required for each stage. Then, companies can address whatever is missing for standards such as ISO 27001 only when they are better prepared. Furthermore, progress can be better visualised in this framework than for most standards – as they are based on a “yes or no” approach, versus NIST’s 0 to 4 scoring.

Conclusion – Understand where you are

Before deciding on which path to walk, it is always a good idea to take your time to analyse industry standards and your organisation’s priorities and goals. Depending on your particular situation, the ideal choice will change. Think about what will bring you more value in the long run, but don’t panic if you think you have made the wrong choice.

In the case of ISO 27001 and the NIST CSF, you have the advantage that several key areas of improvement overlap between both. Plus, they are both well-designed and established choices to raise the level of your business’ activities.

Getting someone familiar with the process can help, so if you need specific advice for your business, feel free to get in touch. We have guided many companies through these paths and will be happy to assist you if you are stuck. It may seem hard, but it is truly a matter of knowing the route to proceed.

Next Steps:

  • Our article Building your Asset and Risk Register may help you in identifying the risks and points that need to be addressed for your business to reach a higher level of compliance.
  • Once you know what these risks are, our article on Developing an Action Plan will explain alternatives and methods to complete your goals.

Thank you for reading. For more Compliance content, please check our blog.
Follow us on Social Media!

Downtime Calculator – How much does downtime cost your business?

Business Continuity
Photo by Tim Mossholder on Unsplash

Estimated Reading Time: 2 Minutes
Downtime could be the difference between a business closing and thriving. Yet, it is a fear that tends to vanish from managers’ minds until the very moment it becomes vital trouble. Most businesses, however, face a certain degree of downtime every single day, on not-so-prominent levels.

Every time your staff or systems are delayed due to technical inefficiencies, you are experiencing downtime. Just think of how each employee now and then have to stop working due to freezing computers, random updates, system outages or connection loss.

However, those instances of downtime are commonly seen and often ignored by businesses; categorised mainly as productivity issues. The type of downtime we are addressing in this article are the ones caused by disasters situations. At some of the worst instances, business operations are forced to stop because of such events, creating a tremendous financial or reputational loss and potentially leading to business closure.

To learn more about organisational risk, read: Understanding and Calculating Organisational Risk

Causes and Effects of Downtime 

In this scenario, depending on which type of disaster has occurred, customers may be unable to shop, the staff may be unable to work, and the damage can hardly be contained if there are no robust Business Continuity procedures in place. It is a scary situation for any business owner, and up to 60% of businesses that go through a major disaster will close their doors

In today’s world, technology failure and cybercrime are the most typical reasons for downtime amongst companies of all sizes. Depending on how reliant on technology is your business, it could suffer more or less from such adversities. 

Calculating and Preventing Damage from Downtime 

The Downtime Calculator helps you understand the level of disruption that one of such IT disasters could cause to your business. It should take just a minute to set up and will give you a rough idea of the cost per hour of downtime, depending on how dependant your structure is to technology. 

Nevertheless, some costs can’t be precisely estimated, such as the reputational damage or the loss of valuable data. You can access the Downtime Calculator here.

Downtime Calculator - How much does downtime cost your business - Free Tool available

Fortunately, cases like these can be avoided and prepared for, with a budget that would cost a fraction of what such a disaster could potentially reach. By having a Business Continuity plan, a business will have tools, procedures and partners ready to act in case of a failure.

It would be best if you start by identifying the main risks that could affect your organisation and define the best ways to proceed in any foreseeable scenario. If you want to learn more about Business Continuity and protection, talk to us, and we can give you details of what a good plan looks like. You can also check our Blog for more articles and resources on this topic.

Thank you for reading, and please share with us any thoughts on the blog and on the calculator. Have a good day!

Information Security: Governance vs Maintenance

Information Security Governance vs Information Security Management article by Spector
Photo by Sylvia Yang on Unsplash

Estimated Reading Time: 3 Minutes
Written by: Aaron Nolan
Although they sound similar, Information Security Governance and Information Security Management operate at completely different levels of the business – one at board level and the other at management level. Throughout this blog, we will explore the differences between these functions and explain how they complement each other within the business’s security strategy.

Information Security Governance

Information Security Governance is a framework or standard set out by the board members, directors or partners of an organisation. This system outlines the security goals of the company, establishing how they will operate. In any mature business, the board members, directors or partners of an organisation are solely accountable for the Security Governance. It should be viewed as a non-negotiable business requirement that comes from the top down.

One of the first things a company should do is outline its Organisational Policy Statement, which is also referred to as the master security policy. This statement describes the strategic functions of the organisation and enacts company policy, and it should come across as an essential part of the business’ long-term strategic plan.

Essentially an Organisational Policy should protect a company’s finances, reputation and assets; so it must detail how the business and its assets should be governed. Thus allowing the organisation to allocate resources based upon their risk.

A key benefit of having a Governance Framework or standard in place is that it ensures goals are in place which can be measured against current performance. It provides shareholders with oversight and reassures them that risk is being adequately mitigated. Our latest article highlights the characteristics and many benefits of adhering to frameworks, guidelines and standards. Click here to read it and discover which we recommend.

Information Security Governance should not only align the framework against the company’s strategic objectives but also ensure that it complies with local and international regulatory laws. Overall, it is an essential part of a business’ risk management strategy, and it will have a direct impact on the course that the company will take over the long term.

 

Information Security Management

Information Security Management aligns the organisation’s functions to its strategic objectives. It is the practical enforcement of the policies and practices defined by the Information Security Governance structure. The organisation’s senior management is responsible for implementing these controls and ensuring that they are being adhered to on a daily basis. Therefore, the Security Governance authorises the Security management to make decisions on the company’s behalf.

Information Security Management also alludes to the management of vulnerabilities and potential threats posed to the organisation. As such, it is the responsibility of senior management to manage risk on behalf of the organisation. This also implies that any risk not detected by C-level management may not be effectively addressed by Information Security Management. They are responsible for managing risk, but not accountable.

Senior management is also expected to oversee project management to ensure that the strategy set out by the Governance structure is worked towards. Senior management would have full utilisation of the allocated budget to develop projects to reach the framework or standards set by the Security Governance.

 

In Conclusion

Information Security Governance is crucial for any business as it not only allows for budgeting for both capacity and new technologies but it also helps prepare for times of disaster. Negligence in the area of Information Security Governance can result in board members, directors or partners being held responsible for breaches, damage to company reputation or even financial loss.

Information Security Governance helps to outline goals, standards or frameworks for an organisation to achieve. Indeed without any of these things, an organisation’s procedures can never be defined.

Security Governance is a “buy-in” from the top level of the company, and it is necessary for the Information Security Management to work within a company.

Thank you for reading. For more compliance advice, visit our Blog.
Follow Spector on our Social Media channels for more exclusive content.

Governance: Understanding guidelines, frameworks & standards

Image for blog on Guidelines, Frameworks and Standards
Photo by Rikki Chan on Unsplash

Estimated Reading Time: 4 Minutes
Written by: Aaron Nolan
Having a Guideline, Framework or Standard is fundamental for a business to define policy and assess its risk. Many companies are restrained in how they operate by guidelines, frameworks or standards whether this is Central Bank, HIPPA or ISO27001. The levels at which these can be brought to vary, depending on the company’s view of risk.

Guidelines

A guideline is a recommendation, typically by a governing body, on the operational actions an organisation should take when there is no defined standard or framework in place.

An example of this is the Central Bank of Ireland’s handbook for Credit Unions or Financial Services, which is very suggestive in nature but not mandatory for institutes to follow. Guidelines assist the organisation in strengthening its legal and regulatory requirements, by offering best practice advice. They provide recommendations on how standards or baselines should be implemented.

The main benefits of guidelines are that they can be adapted to suit the context of the business, allowing flexibility in implementation. They can be adjusted, modified and scoped to work with the companies’ needs.

However, one of the main drawbacks of working based on a guideline is that these are subjective and not clearly defined, leaving a lot of grey areas of uncertainty.

Frameworks

A framework is a conceptual structure defined by the governance of an organisation to set out policies within the company. This is a top-down approach with the main stakeholders identified first, along with their needs and their appetite for risk. Those who will manage the policies on a day-to-day basis are determined at a later stage.

An example of a framework would be NIST or COBIT, with clearly defined policies and controls to be implemented. Frameworks do not specifically need to come from one source as organisations can draw from several standards to develop their own structure.

The benefits of having a Framework over a Guideline is that there are clear controls and policies that need to be in place to adhere to. Another advantage is that you can draw from several resources to adopt your own framework.

The main disadvantage from pulling from several frameworks is that it may not make you fully compliant with any specific standard or regulation. Be mindful of which frameworks you use as a reference and if they resonate with each other.

Standards

Photo by Victoria Heath on Unsplash

A standard is a mandatory activity, action or rule which is usually verified by a third party and certified. These are typically organisational security standards that specify how hardware and software must be used, in order to satisfy the needs of the standard. Standards are created to support and reinforce policies while providing more detail and direction on the controls.

IASME gold standard or ISO27001 are examples of standards which have precise controls which organisations must adhere to if they wish to be certified. Independent auditors are employed to verify that the required controls are in place so that the organisation can remain certified by the standard.

A crucial advantage to having standards in place is that it provides reassurance to your customers, third parties and authorising bodies that you take the necessary standards seriously. They are beneficial for an organisations’ reputation, and also reassure stakeholders that all is being adhered to.

While there aren’t many drawbacks for adopting a standard, they can be costly to implement and upkeep. Regular reviews are required to keep the standard live, so resources are required – adding additional costs.

The One we Recommend the Most

We have a great deal of experience with compliance across several different verticals, which allows us to work with customers in highly regulated industries, such as healthcare and financial services. Over the years we have discovered which frameworks are easier for the majority of people to understand, apply and follow.

One of these Frameworks is the NIST Cyber Security Framework, the most commonly used in the USA to evaluate a business’ technology infrastructure. It serves as an excellent place to start because it allows companies to identify what their most significant weaknesses and strengths are, which in turn makes it easier to decide where to focus first.

Looking for a comparison between NIST and ISO27001?
Read ISO27001 versus NIST: Why choose one?

The NIST Cyber Security Framework covers a business’ capacity to thrive against threats in a wide range. There are five main categories, which are: identify, protect, detect, respond and recover. Each of these can be rated from 0 to 4, depending on a business’s readiness. Overall, these ratings provide an accurate and profound knowledge of how a business tech infrastructure behaves, which is why we recommend and utilise it with our customers.

We have a guide explaining how to effectively leverage the NIST Framework to bring your security and compliance to the highest level. With it, you can build a risk management system tailored to your organisation. It’s available in this link.

In Conclusion

Depending on the maturity level, risk appetite and resources available; an organisation’s governance structure should be able to select a guideline, framework or standard that works best for the company.

The implementation of a framework such as NIST should be the foundation for any risk-averse company. Having a framework like NIST allows for the budgeting of resources, capacity planning and cost technology improvements.

Security Frameworks are vital for the success and progression of a company, whereas standards are “nice to haves”. Once the organisation has implemented a framework and brought it to its highest level, only then should they look at standards in order to improve its reputation or marketing value.

Thank you for reading! For more compliance advice, visit our Blog.
Follow Spector on our Social Media channels for more exclusive content.

How Your Staff Put Your Business at Risk of Invoice Fraud

Credit Card lock
Photo by Ryan Born on Unsplash

Estimated Reading Time: 4 Minutes
Invoice Fraud – aka Beneficiary Change Request – is an increasingly common practice in today’s world. The increasing reliance on email communications has made Businesses much more vulnerable to Cyber Criminals and Social Engineering practices. Moreover, this Cyber Security incident easily bypasses your Anti-Virus or Firewall protection – instead, it relies on your staff and on how well-trained they are to recognise the threat.

Another common type of Fraud that has gained popularity over the previous years is the CEO Fraud, and you can read about it and educate your staff here.

What exactly is Invoice Fraud?

In this fraud scenario, a Cyber Criminal will pretend he is a reliable player and will seek to redirect payments. Typically, they will mimic the identity of a known supplier and communicate directly via email to the person in your company responsible for managing expenses.

There are cases in which the supplier’s email accounts have been compromised, and others in which criminals are using “spoofed” accounts, which appear as if they are coming from a trustworthy address. Learning to identify a suspicious email is one of the best ways to address this topic, and we have an article about it here. Reading this and sharing with your staff is a good start.

The content of this message is the vector of attack. What, on the surface, looks like a legitimate communication regarding financial details, may be a case of Invoice Fraud. Often, the criminal will pose as a new account manager working at a partner company and inform your staff that their banking details have changed. Usually they’ll not even ask for money right away – to make things subtler.

Instead, they will patiently wait for the period that businesses usually pay their invoices and it could take a long time for everyone involved to realise what has happened.

How does Invoice Fraud happen? – An Example

Emma, a member of the accounts payable team, receives an email from John – a known contact for a supplier. The email notifies Emma of a change in banking details, in a polite and formal tone. Emma replies asking for telephone confirmation, which is required according to company policy.

John responds to say that he is on a business trip but that his colleague, ‘Brian’, is managing confirmations in his absence. Brian then calls Emma, confirms the request to change the banking details and sends an invoice – which Emma pays to the new bank account.

A few days later, Emma receives an email from John requesting payment for this same invoice. Emma immediately rings John and discovers that their bank details have not changed and that no Brian works for the company. It is only then that they discover they have fallen victim to Invoice Fraud and the money is gone.

Please Note: this type of fraud can and often is accompanied by additional telephone communications, which only serves to make it appear much more genuine. Do not underestimate how sophisticated and patient fraudsters have become.

In these situations, it can be hard to pinpoint who is at fault for the money loss. If the email account used to communicate the change of details was compromised, then people may want to hold them accountable for the breach. However, in the end, it always falls to the organisation who is making the payment to have robust confirmation policies and ensure that they are communicating with legitimate company contacts.

Person holding card for online transaction - potential victim of Invoice Fraud
Photo by rupixen on Unsplash

How to Avoid Invoice Fraud

As previously mentioned, Anti-Viruses and tools will only do so much to protect you. A Cyber Security company can do a lot for your business, but an email inbox cannot be 100% secured. Indeed, while an inbox should have filters and protection, there always has to be an opening for new, seemingly secure emails – or the whole point of the channel becomes lost.

Therefore the best defence against this threat lies in staff training. Learning to identify a suspicious email is crucial as it will not only help to prevent Invoice Fraud, but it will protect your company against a wide variety of Cyber Attacks.

As employees are educated on this type of fraud, payment policies should also be reinforced. The following points should be standard procedure among transactions:

  1. 1. Validate all change requests you receive beyond the channel they came from. Go to the company’s official website (don’t click on links from a suspicious email) and look for contact information, preferably telephone numbers.
  2. 2. Create your own customer, supplier and payee profiles.
  3. 3. Independently confirm requests with established approved contacts to verify any transfer requests.
  4. 4. Beware of requests for immediate or urgent payments. Watch the language and tone being utilised and verify the sender’s identity.
  5. 5. Keep track of your invoice routine and don’t merely pay something as soon as it comes up. Confirm all details verbally and in writing with the responsible parties.
  6. 6. Send a test transaction, with a small value of money to the new account and confirm receipt with the legitimate beneficiary.

Armed with this knowledge and by being made fully aware that they are the most common targets, your employees should be able to avoid being tricked by any potential Cyber Attacks. Remember, don’t hesitate in educating your staff – these threats are happening every day.

Here at Spector, we can provide this training to your staff as part of our Cyber Security offering. Education, evaluation and occasional phish tests are conducted to ensure that your staff are being vigilant and able to identify any suspicious communications. This is only part of the service included, and if you are interested in discussing this in greater detail, please feel free to contact us.

We will be able to answer your questions and have a better understanding of your needs. For more details on how we operate, read our Brochure Cyber Security Gap Analysis – it explains how the process begins and the first steps we will take to mitigate your technology risk.

Thank you for reading.

The Risk of CEO & CFO Fraud – How it happens and how to avoid it

CEO desk empty with a computer on top
Photo by Luke Chesser on Unsplash

Estimated Reading Time: 6 Minutes

CEO and CFO Fraud have been continuously hitting the news in the past few years. One of the most well-known cases targeting a large enterprise reached a value of €47 Million being sent to a fraudulent account.

However, since last year, we have seen a fast-growing number of cases among Small and Medium Businesses. Cyber criminals and hackers have found that although these companies offer smaller gains, they are easier to trick and target due to weak Cyber Security and virtually no training.

Globally, these attacks are now costing over €200 Billion per year for SMEs.

This article will bring a detailed overview of this serious issue. If you want to learn more about it, make sure to check our Essential Guide on How to Avoid Identity Theft, available for free, or read our blogs on the subject linked at the end of this post.

Real-Life Examples

Recently we have witnessed a case in which a person was convinced to send €700 in gift cards to a fake CEO. If the criminal has the right email and the right attitude, he may be able to persuade their targets to do the most incredible things.

In some exceptional cases, we have seen Cyber Criminals monitor an email account for weeks or months until an important supplier meeting was due to happen. When time comes, they will send an email to the CFO saying that the meeting was a success and asking for a money transfer to close the deal. The account details provided are for the criminal’s, and they will quickly withdraw the money and disappear.

Businesses have lost millions already due to these practices, which can be avoided with basic Cyber Security training.

How does CEO Fraud Happens

The main thing all cases of CEO/ CFO Fraud have in common is the channel used for the attack: your email inbox.

Hackers will try to obtain access to the email address of the CEO or an important member of the board with direct access to the Finance department.

They will then try to find a situation in which a money wire seems to make sense. As soon as the moment arises, an email will be sent to the Finance Director requesting a money transfer to a specific account. The authority of the CEO and the language used for these scams are vital in making it seem authentic.

Open web page with email inbox displayed - the main channel of attack
Photo by Austin Distel on Unsplash

How they will gain access to an account – and why an Antivirus can’t protect you

Cyber Criminals have several ways of obtaining access to an account and stealing an Identity, even if they don’t infect your machine with viruses or malware. We will give a brief explanation of the most common ways below:

  • Phishing Attacks: Cyber Criminals will often try to trick their targets into giving away their personal details or clicking on some link or attachment that will give them access to their machines. To learn how to spot one of these suspicious emails, read our article about it here.
  • Insecure Network Connections: Hackers often exploit public networks due to their vulnerable security settings. If you use one of these networks, avoid accessing work files or sharing confidential information. Your company network may also be an open door for Cyber Criminals if your settings are not correctly configured and your firewall is not continuously monitored.
  • Data Leaks: Cyber Criminals often find passwords on data breaches and leaks. If your company does not have a robust password policy, it is very likely that one of your employees or even yourself is using a password that has already been harvested. If that is the case, criminals can access your account straight away.
  • Password Cracking: Another technique often used by Hackers and Cyber Criminals is to go deep into a target’s social media networks to gain more data about them and attempt to crack their passwords or trick their partners using available information online. By going through old social media profiles, they can find old email passwords – which are often used as Recovery Emails and may be accessed by security questions. This form of attack is extremely targeted to a specific individual, and it works surprisingly well against some people.

To learn about all these in detail, read our Article on How Does Identity Theft Happen, which talks not only about CEO Fraud but also about other techniques used for Identity Theft.

In short, if hackers can access a computer or find a password, there is a high probability that they will be able to infiltrate that account.

There are also some cases in which Cyber Criminals may not even be able to access the real email – they can simply create a fake email using the target’s first and last name and pretend to be him/ her in their personal accounts. They will then request a money transfer to an account, claiming it is an urgent matter.

The fact that this form of scam continues to works shows that even if your accounts are secure, you may still be in risk of such frauds. Next, we will discuss the best way to make sure your business will avoid such troubles – and if you want to know if your accounts are safe in the meantime, read Are you Cybersafe? Assessing your Personal Risk of Identity Theft.

 

The Best Defence: Training & Education

A solid Cyber Security strategy and tools will be enough to push back most Cyber Criminals, but some of them are due to persist and potentially trick your staff into falling for the CEO Fraud or the Invoice Fraud.

The most crucial step to avoid this ever happening to you is to educate your staff about this issue and adopt security measures to ensure they are secure and will not make any mistakes.

Man speaking on phone while checking computer - confirming if money-transfer request is not a fraud
Photo by Austin Distel on Unsplash

We recommend training courses or sessions, along with a foundation of policies and tools to facilitate this task. Some of the main topics to be addressed should be:

Email Protection:

Since your email is the primary channel used by Cyber Criminals, it has to be as secure as possible. It’s always a good idea to use an Email filtering tool, but even then you cannot shut your doors entirely as valuable prospects and partners may try to contact you via email.

For that reason, everyone in the business – from interns to board level – must be trained on Email security. The main points are always to verify the sender address, examine the language tone and never open suspicious links & attachments. These tips and more are explored in our article Top Tips to Identify a Suspicious Email

Strong Passwords:

A Strong Password Policy is of crucial importance in defence of your systems. Users must use strong passwords, change them regularly and never use work passwords on other accounts.

We have an article on some of the best password creating techniques and tools to facilitate your life and increasing business security. It is available here – Your Business Needs Stronger Passwords. Learn How to Create and Manage them.

Elastic Protection:

Cyber Hygiene must be present not only on your work environment but follow you wherever you go. Mobile devices are following us everywhere and have a critical role in our lives. The same goes for companies adopting BYOD – Bring your Own Device – where employees use their personal devices to work. This trend means people have more ways of inviting malicious users to their work environment, and the company has much less control of these machines.

Businesses must utilise Mobile protection tools, be extra careful with insecure networks, and prepare procedures in case of device loss or theft. Encryption and remote wipe tools must be in place, and some level of education is required. We have an article with more details and relevant tips on BYOD, called: Embrace BYOD, but be smart about it.

Money Transfer Confirmation Policies:

Last but not least, even with all the right tools and procedures in place, there will be occasions in which a Cyber Criminal will be lucky or smart enough to bypass the main defences. When that happens, users must be ready and vigilant to make sure they are dealing with the right people.

One effective way of doing this is always to call or contact people asking for money transfers by other channels, to make sure they are aware and actually requesting that. If a suspicious message arrives via e-mail, try reaching people through their phones – even a text message could do it in most cases – or contacting others who are close to them and informed of their plans.

Stop CEO Fraud before it begins

As you may have noticed, this is a big topic full of nuances and points that can be deepened with further research. The best ways to safeguard your business and your accounts are to educate yourself and your staff, using whichever tools are appropriate to create new layers of security.

Identity Theft is the main reason for Financial Fraud. It is a growing and disturbing issue, that requires immediate attention.

If you want to read a guide about all these topics with more detail in a single place, we have a Free Essential Guide to Avoid Identity Theft. Download it or share it and help us reduce the number of potential targets.

We are here to provide more information or help you build your own robust Cyber Security. Contact us, and we will be happy to assist.

Preparing for your Cyber Security & GRC Audit

Auditor getting ready for inspection
Photo by Hunters Race on Unsplash

Estimated Reading Time: 9 Minutes
Welcome to our series of articles on Managing Technology Risk and Governance. In this chapter, we will investigate how to prepare for a Cyber Security audit and prepare comprehensive reports for the board. These are recommendations based on our audit and board reporting experience over 15 years. Being ready for it is key to saving time and effort.

The core fundamentals of a cyber security audit are no different from a traditional audit. The auditor will be looking for anything that is out of place and your business has to prove that it is following best practice and addressing any issues. Audit experience is useful in both scenarios.

Adopting a framework prior to an audit can be extremely beneficial, as it will provide your business with direction and illustrate what are the standards and best practices you should be pursuing. Here at Spector, we recommend leveraging the NIST Cyber Security Framework to succeed in your GRC efforts. To learn more about it, read our Guide to NIST for Financial Services.

What is the purpose of a Cyber Security Audit

A cyber security audit is a vital process for identifying fundamental weaknesses in your company’s tech infrastructure. These assessments help you verify what lives inside your network, what needs to be protected, and how to improve protection. Auditors are looking for proof that you are doing the right thing and improving. It is not a name and shame process; audits exist to help you grow.

However, as relevant as cyber security audits are, many companies are not very well prepared for them. So, how can you prepare for a cyber security audit so that it can be completed quickly and efficiently?

If time is in your favour, one of the best approaches you could take to succeed on this is to gather and store evidence of your activities. By doing so, you can quickly prove to an auditor that you have been compliant and all main risks have a control and an owner – which shows accountability. For more detail on this, read the article: Before the Audit – Gathering Evidence to prove Compliance.

Moving to a closer date to the audit, there are a number of things you can do to prepare apart from gathering evidence. Here is a short list of the main tips to help you get ready:

Create a Diagram of Your Network Assets

While part of the goal of any audit is to identify potentially unknown assets on your business network, giving your auditor a network diagram can help them save time and get a head start on their assessment. A network diagram outlines the overall structure of your network—what assets are present, how they’re connected, and how they are linked. Many tools exist today that can provide a real-time view of your network assets. These make the process of gathering data simpler than drawing diagrams that go out of date as you finish them.

Verify with the  Auditor Which Stakeholders They Need to Talk to

Board Level Meeting
Photo by Tim Gouw on Unsplash

At one point, the auditor will need to speak to subject matter experts within your organisation to get a complete picture of your cyber security policies and architecture. So, before the audit begins, ask the auditor which of your key stakeholders they will need to talk to during their inspection, and set aside some time for these stakeholders to attend a meeting and what tools or access they may need during their audit.

Build Your Cyber Security Policies into a Single, Easy-to-Read Book

While your auditor will likely conduct interviews of your staff to get a feel for their grasp of security, it can be helpful for them to have access to your cyber security policies during their audit. Here, taking all of the documentation regarding your business’ cyber security policies and procedures and organising them into a single book can be massively helpful.

Spector provides a book of 20+ cyber security policies as well as other key business documents that we build into a single policy book. We also include evidence in these documents – which will likely be asked for. Some examples include:

  • Password policies
  • User Access Controls
  • Acceptable Usage Policies
  • Backup and DR Policies
  • Incident Management Procedures
  • Data Mapping Processes and many more.
  • Cyber security training logs

This policy book helps the auditor understand your organisation’s overall cyber security awareness as well as spot potential gaps in your security policies and procedures that need to be addressed.

Study Up on All Applicable regulatory and Compliance Standards Prior to the Audit

Most organisations have one or more compliance or regulatory standards that they strive to meet, such as PCI DSS, GDPR etc. In 2016 the Central Bank of Ireland released the Cross-Industry Guidance in respect of Information Security and Cyber Security Risk. It is a fantastic resource – albeit a little dated – on recommendations of what may be expected at audit time.

By educating yourself about your compliance requirements, you can put yourself in a position to work more collaboratively with your cyber security audit & compliance team as well as verify that the suggestions they make are realistic and positive.

Define the Project Scope with the Auditor

One of the most vexing problems companies face is determining the scope of an audit and how to prepare for the review. Without a scope, lags are inevitable because there are always unforeseen events that can disrupt outcomes, your time and costs. An experienced auditor should be able to anticipate these events to some extent and inform you (to some degree) of their requirements in advance.

When discussing project scope for an audit, be sure to ask questions about why the auditor needs certain resources, or if there are any resources they require that you haven’t provided yet. Get details about why specific assessment steps are necessary and what they entail. Be confident!

After the Cyber Security Audit Starts

When the auditor begins making their assessment of your organisation’s cyber security infrastructure, be sure to ask them to bring any significant issues to your attention as soon as possible. No-one needs surprises at the conclusion of the audit. This also gives you a chance to start remediating these issues as soon as you can.

Also, be sure to take any alerts from the auditor seriously and ask for suggestions about how you can fix these issues. Many experienced auditors are familiar with numerous cyber security tools and quick fixes for common problems that you can implement very quickly. However, they may want to complete their full audit before making some recommendations so they can suggest the most comprehensive solution possible.

Dealing with the Board

Board Level Meeting
Photo by Campaign Creators on Unsplash

Concerning the board, our advice is to keep it simple. There are often over 20 items to be discussed at a board meeting. You have a short time window in which to get your point across – and possibly ask for investment.

Educating the board about the relevance and role of the tech infrastructure of your business is a good place to start. We recommend reading the document mentioned above; the Central Bank Guidelines in respect of IT and Cyber Security Risks. The report is easy to read and highlights the main requirements and risks of a regulated firm. After introducing them to the topic effectively, your job will be much more straightforward.

Another strong recommendation for this subject is to consider adopting a framework such as the NIST Cyber Security Framework. It covers 5 key functional areas that are imperative for a robust Cyber Security strategy – Identify, Protect, Detect, Respond, Recover. In short, this framework comprises of several relevant practices, ranging from user training to backups and security tools. It is simple enough to be quickly presented to the board while holding all details under the surface.

The following insights will also be valuable in transmitting your message in the best way possible.

Guiding principles for board reports

  • Relevant: Relevant to the audience (full board; key committee)
  • Reader-friendly: Use summaries, callouts, graphics, and other visuals, avoid technical jargon
  • Meaningful: Communicate insights, not just information.
  • Highlight changes, trends, patterns over time
  • Concise: Avoid information overload
  • Discussion: Reports should also enable dialogue and debate.
  • Continuous improvement: Review the format and content regularly.

Key questions to help identify and develop cyber security metrics

What metrics do we have that indicate risk to the organisation? Boards need to know that the organisation’s critical assets are being protected.

One advantage of utilising the NIST Cyber Security Framework is that it provides the board with an easy-to-understand scoring system based on 4 tiers. As you advance and tackle technological risk, your score should increase in each of the areas and bring you to a new tier, according to what your target profile and priorities are.

NIST Implementation Tiers Scoring System
NIST Implementation Tiers

For more information on these tiers and on how NIST works, read:
The Guide to NIST for Financial Services Organisations

Moving on, independently of what framework you are using, these are the main questions you should be considering:

What investments are necessary for cyber security?

Organisations need to understand their current and future cyber security needs before they decide what investments will drive down risk. Useful questions include:

  • What initiatives were not funded in this year’s budget, and why?
  • What trade-offs were made?
  • Do we have the right resources, including staff and systems, and are they being deployed effectively?

How do we measure the effectiveness of our organisation’s cyber security programme and how does it compare to those of other organisations?

Board-level metrics should highlight changes, trends and patterns over time, show relative performance, and indicate impact. External cyber security specialists may be able to provide useful comparisons within industry sectors.

If you are leveraging the NIST Framework, you can easily visualize your progress in all key functional areas. The best way to do it is by keeping track of your initial profile and comparing it to your current and target profile, just as seen on the chart below:

Scorecard

To give you an idea of your current NIST profile, we have developed a simplified Self Assessment Tool that you can use to evaluate your business and identify your current and target profile. By using this tool, you should be able to have a better practical understanding of how useful NIST can be. Keep in mind that it is a simplified version of the framework and it doesn’t cover all bases normally addressed by the full scope.

How many data incidents (e.g. exposed sensitive data) has the organisation experienced in the last reporting period?

Report Dashboard
Photo by Stephen Dawson on Unsplash

This metric will inform conversations about trends, patterns and root causes. Remember to reinforce the fact that incidents are bound to happen – it’s not a matter of “if”, but “when”. How effectively the organisation reacts to these incidents is the primary point of discussion.

How do we assess the cyber-risk position of our suppliers, vendors, JV partners and customers?

Supply chain relationships typically pose increased risk for organisations given the degree of system interconnectivity and data-sharing that is now part of everyday business operations. Useful questions include:

  • How do we conduct ongoing monitoring of third-party risks?
  • How many external vendors connect to our network or receive sensitive data from us?

What metrics do we use to evaluate cyber security awareness across the organisation?

People are often the biggest cyber security threat for many organisations. Data about policy compliance and the implementation and completion of training programmes will help inform conversations about insider risks.

Using these Insights to be Audit-Ready

Throughout this content series, we have provided you with the tools and knowledge you will need to perform much better in this stage. This knowledge is based on years of experience operating in many regulated industries and having internal lead-auditing capabilities.

It’s the material we wish we had when we were starting.

The pieces of content you have will aid you in understanding your risks, assessing your vulnerabilitiesprioritising and acting on them. The material can give your business a significant edge in this aspect, and you should use it as a competitive advantage.

If your objective is to get audit-ready and increase your organisational maturity, you must be in a much better place by now. However, to have your business ready for the future and secured against evolving risks, you still have to develop an evolving system.

Building a Risk Management System – Simplifying the Process

Here at Spector, we have two basic service offerings in this area: the Gap Analysis and the Cyber Security Programme.

We usually recommend companies to begin with the Gap Analysis, as it will provide us with more knowledge of your setup and a clear direction for your needs. This service consists of a project to analyse and identify the most critical vulnerabilities in your structure. It can be done in a short period by our team, causing minimal disruption. To learn more about how it works and what is involved, read our Gap Analysis brochure, available on this link.

The Cyber Security Programme, on the other hand, is the following step after the Gap Analysis, and it will address the actual mitigation of your risks and development of your structure on a continuous basis. We will lay our tools and resolve the most urgent issues, to then initiate new projects to reach your business goals. This allows us to close the gap between desired and current state. If you want to learn more about this stage, we have information available on this link.

Both solutions will help turn this daunting process into an automatic and uncomplicated job. If you have questions, feel free to Book a Call with us. We will be happy to learn about your challenges and figure the best solution.

Thank you for reading! If you have found value in this content, please share it with others who may feel the same way. Follow us on Social Media for more exclusive content.

 

Developing an Action Plan to Address your Technology Risk

Action Plan and Scorecard
Photo by Jakob Owens on Unsplash

Estimated Reading Time: 7 Minutes
In this article, you will learn about the crucial components to consider when creating an Action Plan to address technology risk. In reality, even though technology risk has plenty of complexities and details, the logic behind the action plan should be quite similar to the one guiding a standard risk management plan.

Serious about managing technology risk? Our best recommendation:
Building a system leveraging the NIST framework to manage risk

Technology risk is ever-changing and intricate, and it cannot be ignored. In today’s world, the odds of facing technological disasters is higher than the ones from the natural world, and the consequences could be just as disastrous. Loss of critical business data and equipment, staff unable to operate, customers unable to buy – the more dependant you are on technology, the higher the risks.

That being said, there is no reason to panic. Once you have an idea of your main assets and the risks you could be facing, you can begin to tackle them by order of priority. If you haven’t yet identified them, you can start by reading Building an Asset and Risk Register. There you can find a sample Risk Register and more useful information, so check it out and come back when you’re ready.

Leveraging the Risk Register to define your Prioritised Plan of Action

The key result from establishing a full Risk Register is that your core and most critical risks rise to the top for all to see. Your plan is now to define how to handle these risks.

Firstly you need to understand your inherent risk and to assess the consequences and likelihood of failure. If the inherent risk is high, with damaging effects, you need to treat that risk by applying a control and reducing it to a tolerable level. However, that is not your only option.

Every company can adopt different methods for addressing IT Risk. For example, some qualitative and others quantitative. In our practice, we use the NIST CSF approach to get most organisations advancing, and an ISO 27001 approach for the ones looking to maintain a higher level of compliance, such as financial services or healthcare.

Let’s take a look at the options open to you as the Risk manager with some examples that will hopefully allow you to understand how to manage your risks.

Option 1 – Employ controls to mitigate risk

A control gives you the ability to change the inherent risk outcome. For example, you may decide that you cannot afford to lose any more than 1 hour of data from your core business system (ERP) as recovering that would be an operational nightmare.

You can apply a control such as a more frequent backup of the system – say to 15-minute windows. In this case, the control already existed and just needed to be altered to address the risk of data loss.

For the sake of comprehensiveness, three types of security controls will assist in mitigating risk:

  • Management controls: The security controls that focus on the management of risk and the management of information system security.
  • Operational controls: The security controls that are primarily implemented and executed by people (as opposed to systems).
  • Technical controls: The security controls that are primarily implemented and executed by the system through the system’s hardware, software, or firmware.

It is the combination of all three types of controls that provide robust security. In our example above we have a Disaster Recovery Plan (management control), that is managed by your internal or external IT resource (operational control), and backup and recovery software/ hardware systems deliver the ability to recover (technical controls).

A common problem with control adoption is that they often make systems less simple to use.  When usability is an issue, many users will attempt to circumvent security controls; for example, if passwords must be long and complex, users may scribble them down.

Balancing security, functionality, and usability is often a challenge. The goal should be to strike a proper balance: provide a reasonably secure solution while offering the functionality and usability that users require.

Option 2 – Transfer risk

Risk transfer is a risk management strategy that involves the shifting of an identified risk from one party to another. The simplest example, of course, is the purchase of an insurance policy, by which a specified risk of loss is passed from the policyholder to the insurer.

In terms of IT Risk, there are new Cyber liability policies that provide first-party cover as well as a host of additional benefits (legal, HR, PR advice) that allow an organisation to offset operational and reputational risks.

Option 3 – Cease risky activity

Risk Activity
Photo by Jairph on Unsplash

There is always the option to cease a risky activity altogether. It is not uncommon to accept the status quo of how things have always been done even when those activities expose you to risk.

With the arrival of GDPR, we have advised many clients on how they share information both within and outside of their organisations. It has meant that they now have entirely ceased the sending of personal data through unsecured means. They have sought different ways of moving that data or changed processes to suit the security requirement.

Option 4 – Accept the risk

Risk acceptance means accepting the identified risk and not taking any other action to reduce it because you can admit the potential consequences. For example, you may decide to accept a risk because the cost of eliminating it ultimately is too high.  If you choose to take a risk it is a good policy to qualify and support that opinion.

An Auditor may not see this the same way that you do so it is essential to be able to stand over your reasoning.

Ownership, Accountability and Frequency

Although Risk Registers are unwieldy, they do provide the beginnings of a system and discipline around the assessment and ownership of your IT risks. This allows you to calendarize and set an agenda for review in place. Auditors are invested in seeking out evidence that you are doing the right thing.

They want the evidence from logs and activities, to how you manage your approach to IT Risk. Moreover, they are looking for accountability – someone has to own the risks.

This evidence-gathering process is a crucial part of the risk management system, and it should happen in parallel with your actions to mitigate risk. Keeping track of your efforts will make your life much more straightforward in an audit and bring precise accountability on what has and hasn’t been done.

More information on this can be found in the article:
Before the Audit – Gathering Evidence to Prove Compliance

Scorecard

A Scorecard is an excellent way of measuring your progress and assessing the main topics that need to be developed in every year or quarter. At Spector, we’ve been using scorecards with customers for many years, and their indications always bring much more clarity to reports and the action plan.

The simplest way to measure your score is to leverage an existing classification and scoring system and evaluate how your business is doing. We recommend utilising the NIST Cyber Security Framework, as it covers the most important areas of technological resilience and risk, with the added benefit of being incredibly easy to understand and present to the board.

As you address your risks and improve your cyber security maturity levels, you will be able to update your scores on your NIST profiles under the 5 key functional areas of Identify, Protect, Detect, Respond and Recover. Each of these areas has a number of categories and subcategories, which you can use to assess your level of cyber resilience. Depending on how well your business is, you could fit in one of the 4 tiers of implementation.

NIST Implementation Tiers Scoring System
NIST Implementation Tiers

As you advance and tackle technical risk, your score should increase in each of the areas and bring you to a new tier, according to what your target profile and priorities are. Make sure to keep this up to date and celebrate your progress.

For more detail in how to leverage the NIST framework to tackle technology risk, read:
The Guide to NIST for Financial Services Organisations

To get you started, we have developed a simplified Self Assessment Tool that you can use to evaluate your business and identify your current and target profile. By using this tool, you should be able to have a better practical understanding of how useful NIST can be. Keep in mind that it doesn’t cover all bases normally addressed by the framework, especially since we have shifted it from a levelled approach (1-4) into a “yes or no” approach to keep things simple.

In the following chart, you can see the starting profile, current working profile – i.e. as it is today or at last review – and target Cyber Security profile, based on the 5 functional areas of the NIST Cyber Security framework. The tool gives a simple view of how you are progressing your Cyber Security maturity levels.

NIST CSF Scorecard - Starting, Working and Target Cyber Security profiles
Example of a NIST scorecard chart

These tools and knowledge should help you define a clear path to begin addressing your risk. Not only that, but you will be able to prioritise actions and understand where your business is improving and where it still needs to improve.

Continue Tackling the Risk – After the Action Plan, prepare for the Audit

The next part of the series that we will discuss is about Evidence Gathering – which, as discussed above, means maintaining data that proves you are being compliant and improving your practices. It is a process that should happen in parallel while you are executing your action plan, and it will make your life much more comfortable during an audit.

For more tips and advice on how to present your progress to an auditor or the board, read: Preparing for an Audit – how to tackle cyber security and discuss it with the board.

As always, talk to us if you need specialised assistance. A reliable IT and Risk Management system will provide your Action Plan with the attention it deserves. At Spector, we specialise in technology risk management and have the tools and experience to make this process look simple.

Thank you for reading! Follow us on Social Media for more exclusive content. If you have found value in this content, please share it with others who may feel the same way. Be sure to leave a comment below if you have any queries or feedback about this topic.

 

Building your Asset and Risk Register to Manage Technology Risk

Photo by timJ on Unsplash

Reading Time: 7 Minutes
In this article, we will deal with the development of your Asset Register and Risk Register – critical tasks to manage Compliance and regulatory requirements in your organisation. If you need an introduction to risk management, read: Understanding and Calculating Organisational Risk

At the end of this post, you can download a sample Risk Register. Fill it with your business’ risks and details to build your own register.

Technology risk has its unique characteristics and is becoming increasingly common and dangerous to businesses of all sizes. Your business is more likely to fall victim to a cyber attack than fire, for example, and the consequences of such an attack could be just as dreadful. 

Most people who seek our advice don’t consider themselves fit to handle technology risk. Yet, in reality, much of the knowledge applied here is similar to other areas in risk management. We tend to recommend leveraging the NIST Cyber Security Framework to tackle technology risk, as it makes the whole process much more manageable. We have a detailed guide on that, here.

Prefer this content in a video? Watch the Webinar below:

Asset Register

Building an asset register helps clarify what is valuable in your company and who is responsible for it. Moreover, without knowing what you have and who is in charge of protecting these assets, you can never fully understand technology risk in your business.

When considering building an Asset register, we dip into our ISO 27001 knowledge and preparation and utilise their definition from the 2005 revision of ISO/IEC 27001 which defines an asset as “anything that has value to the organisation.”

Think about that for a moment as it covers a lot of ground. Necessarily so.

Why are assets important for information security management?

There are two reasons why managing assets is essential:

1) We use Assets to perform the risk assessment. Assets are usually the key element of identifying risks, together with threats and vulnerabilities.

2) If the organisation doesn’t know who is responsible for which asset, chaos would ensue – defining asset owners and assigning them the responsibility to protect the confidentiality, integrity and availability of the information is one of the fundamental concepts in IT Risk management.

How to build an asset inventory?

Inventory Asset Management
Photo by Samuel Zeller on Unsplash

If this is your first attempt at creating an asset inventory, the simplest way to build it is during the initial risk assessment process because this is when all the assets need to be identified, together with their owners.

The best way to build an asset inventory is to interview the head of each department or outsourced service provider (if appropriate), and list all the assets a department uses.

We use discovery tools that automate the gathering of such information in terms of technical resources that may be less obvious – i.e. virtualisation solutions, switches, routers etc. – as these are often forgotten.

This process is further supported by describing what you see and do. It is always amazing what your staff know about what is stored and used in your business.

You may already have several elements of this asset register to hand, in which case you only need to compile them under the headings as described below.

Building the asset register is usually done by the person who coordinates the Risk Management process, and this person collects all the information (hopefully with plenty of help) and makes sure that the inventory is updated.

What to include in your asset inventory:

In the asset register that we are looking to build today, we suggest the inclusion of assets under the following headings:

  1. Hardware – e.g. laptops, servers, printers, but also mobile phones or USB memory sticks.
  2. Software – not only the purchased software but developed software and freeware.
  3. Information – not only in electronic media (databases, files in PDF, Word, Excel, and other formats) but also in paper and other forms.
  4. Infrastructure – e.g. offices, electricity, air conditioning – because those assets can cause a lack of availability of information.
  5. People are also considered assets because they also have lots of information in their heads, which is very often not available in other forms.
  6. Outsourced services – e.g. IT services, legal services or cleaning services, but also cloud-based services like Microsoft Office 365 and Enterprise File Sharing solutions such as Egnyte. As such services need to be controlled very similarly to assets, so they are very often included in the asset management.

Who should be the asset owner?

The owner is usually a person who operates the asset and who makes sure the information related to this asset is protected.

For instance, an owner of a server can be the system administrator, and the owner of a file can be the person who has created this file. For the employees, the owner is usually the person who is their direct supervisor.

For similar assets used by many people (such as laptops or mobile phones), you can define that an asset owner is the person using the asset.

If you have a single asset used by many people (e.g. an ERP software), then an asset owner can be a member of the board who has the responsibility throughout the whole organisation – in this case of a Critical Business System, this could be the CIO or CFO.

When this part is done, you should be able to move to the next stage.

Risk Register

Risk Register
Photo by Green Chameleon on Unsplash

Building a risk register allows you to both assess and treat the risks of all of your identified assets. Although critical, we are often asked  – why is it so important? The answer is quite simple although not understood by many people: it is important to find out which incidents could occur (i.e. assess the risks) and then find the most appropriate ways to avoid such events (i.e. treat the risks).

Now add to that that you also have to assess the importance of each risk so that you can focus on the most important ones first. In NIST world, this allows you to prioritise your next actions based on identified risk.

While building the risk register seems daunting, it is very commonly unnecessarily mystified. These 4 straightforward steps alongside our sample documentation will shed light on what you have to do, and eventually how to present it to an auditor or the board:

1. Risk assessment methodology

This is the first step on your journey through risk management. You will have to define rules on how you are going to perform the risk management because you want your whole organisation – and your stakeholders – to implement this in the same way. The approach that we will take will be quantitative in our example.

2. Risk assessment implementation

Once you know the rules, you can start finding out which potential problems could happen to you. You need to access a list of all your assets, then investigate threats and vulnerabilities related to those assets.

You should assess the impact and likelihood of each combination of assets/ threats/ vulnerabilities and finally calculate the level of risk. Again, our sample risk table will assist you in building out your risk register.

Our experience tells us that companies are usually aware of only 30-40% of their risks. As a result, you will find this kind of exercise both revealing and rewarding.

3. Risk treatment implementation

Not all risks are created equal – you must focus on the most important ones, so-called ‘high’ or ‘critical’ risks, first.

There are four options you can choose from to mitigate each critical risk:

  1. 1) Apply security controls to minimise the risks.
  2. 2) Transfer the risk to another party – e.g. to an insurance company by buying an insurance policy.
  3. 3) Avoid the risk by stopping an activity that is too risky, or by doing it in a completely different fashion.
  4. 4) Accept the risk – if, for instance, the cost for mitigating that risk would be higher than the damage itself.

This is where you need to get creative – how to decrease the risks with minimum investment. The unfortunate truth is that budgets will always be limited. You need to figure out the best way to mitigate risk at the least cost. We will get in more detail about this bit on the next article – Developing an Action Plan to Address Technology Risk.

4. Risk Implementation Plan

This is the step where all of your hard work and information gathering starts to pay off. Let’s be frank – all up to now this whole risk management job was purely theoretical, but this is where the rubber meets the road and we get some concrete results.

The primary purpose of the Risk Treatment Plan is this: to define exactly who is going to implement each control, in which timeframe, with which budget.

Once you’ve written this document, it is crucial to get buy-in from either your board or top management as it will take considerable time and effort (and money) to implement all the controls that you have planned here. Moreover, without their commitment, all these efforts will fail.

Once you’re done, you have just completed the hardest part of your overall risk management strategy. Best of luck!

Continue tackling the Risk – Download your Risk Register Sample

Photo by Blake Wisz on Unsplash

From our years of experience working with customers in highly regulated industries – Financial Services, Healthcare, semi-private organisations – we have found that the best way to handle the challenges of managing technology risk and governance is by leveraging the NIST Cyber Security Framework.

We explain how to do it in detail in our Guide to NIST. Its main focus is for Financial Services companies, but every type of business can leverage the framework to deal with risk.

Download your Risk Register Sample Here, and if you have problems using it, watch the webinar near the top of this page.

The Asset and Risk Register are crucial for the development of a Risk management system, but keep in mind that they are only part of that system and not the end result. Now that you are done reading this part, the next one is to Develop your Action Plan to Address Technology Risk.

To continue managing the risk consistently and continually, we have developed our own methodology to assist and guide you through every step. If you are looking for an extra level of detail and a system that will make this process much more comfortable and straightforward, Book a Call with us. We can get you to your desired state of maturity with a tested solution.

Follow us on Social Media for more exclusive content, and as always, if you have any feedback or questions about this article, please do not hesitate to use the comment box below.

 

How to Avoid the Biggest Cyber Security Risks of 2019

Cyber Security Risks 2019
Photo by Serge Kutuzov on Unsplash

Estimated Reading Time: 4 Minutes
We depend upon technology more each passing year. Just a decade ago the idea of controlling your home using your smartphone was speculative at best, and pure Sci-Fi for most people. Fast forward to today, and most members of the public have a personal technology stack with multiple vulnerability points. This post intends to highlight some of these vulnerability points, and explain how they can be mitigated simply.

Smartphone Security

There is a smartphone app for everything it seems these days. From ordering food at your local fast food outlet, to making payments without taking your credit/debit card out of your pocket. We control our homes, our finances and our lives using our phones. Apart from exercising common sense in the way you use your smartphone, there are some proactive steps you can take to protect yourself, and these include:

  • Set a passcode for your phone, that must be entered every time you wake it up.
  • If your phone has the capability to use fingerprint or facial recognition to unlock it, use it.
  • Always ensure that the operating system itself, and also all of the apps you use, are updated at all times.
  • Install some antivirus and antimalware software.
  • Regularly review which apps have what permissions on your phone, and remove any permissions that are not required for normal operation.
Internet of Things
Photo by Bence Boros on Unsplash

Internet of Things Enabled Devices

The Internet of Things (IoT) is already changing the way that we interact with the world. From turning the lights on and off, to cooking our dinner for us while we are at work. It is also revolutionising automated systems such as manufacturing lines, and completely re-inventing the way we handle real-time monitoring applications such as security systems. If a device can be intelligently connected to the Internet, it can be used to control, monitor and measure its environment.

This comes with a cost though. Every single new IoT device adds another potential point of failure when it comes to security. Aged devices running old software riddled with vulnerabilities, will exponentially create security problems in the future. If you are embracing the IoT, then make sure every device you use is 100% secure and has no inbuilt vulnerabilities.

Amazon Echo & Google Home

Taking the IoT problem outlined above one step further, we have to talk about intelligent, Internet-connected assistants. Sure, it is great to be able to ask Alexa what time our next meeting is, to play some new music, and to remind us to buy some cooking oil the following day, but what happens when an intruder has access to your assistant? Consider how simple it would be for somebody to gain access to your private information, just by asking your Amazon Echo or Google Home smart assistant? Always power these devise off when you are out if you can.

Ransomware, Malware and Viruses

This trinity of malicious software applications is worthy enough to make every list for the last decade or more. As antivirus software becomes smarter, the developers of these applications always seem to stay one step ahead. Your antimalware suite is your first line of defence, but it is often not enough.

Only common sense and the development of safe browsing/downloading habits can keep you 100% safe.

Put simply, if you never do anything that could expose you to malicious code, you can’t get infected.

Wallet
Photo by Simon Rae on Unsplash

PINless Payment Cards

Using a PINless, contactless debit or credit card is incredibly simple. However, what happens when your card comes close to a piece of hardware that is designed to read it and steal the details? You could be standing next to somebody who has such a device in their pocket and never know that your card details have been stolen in this way, until the money is gone from your account. The good news is, the way to mitigate this problem is very simple. Get yourself an RFID blocking wallet or purse, and keep your cards inside it.

In Conclusion

Although the technology that we need to be concerned about with regards to security is fast changing, for the most part, common sense is still a perfectly capable first line of defence. Unfortunately, as the number of devices we rely on grows, and the connectivity between these devices becomes ever more complex in its implementation, the number of potential vulnerabilities increases. Keep your own cybersecurity in mind at all times, and try and do nothing that could expose you to risk.

If you want to learn more about Cyber Security, feel free to visit our Blog, or read about the Services we offer to protect Small and Medium Businesses. We also invite you to Talk to Us if you have any specific concerns or would like expert advice on this subject.

 

Your Business Needs Stronger Passwords. Here’s How and Why.

Password ProtectionPhoto by NeONBRAND on Unsplash

Estimated Reading Time: 5 Minutes
SMEs and Startups are now the most common targets for Cyber Criminals, and the main reason for that is because they don’t tend to invest enough in Cyber Security and Business Continuity (Backup & Disaster Recovery).

Over 80% of Hacking-related incidents used either weak or stolen passwords, according to the 2017 Data Breach Investigations Report. Indeed, hackers will most commonly try to use employee passwords to gain access to their accounts and your network, so it is critical that you implement a stronger password policy for your business.

Common Pitfalls made by SMEs

One of the most common mistakes that SMEs make with IT infrastructure passwords is not changing the default passwords or using default administration accounts – I.e. Admin or Administrator. These are among the first things Cyber Criminals will exploit when trying to hack your infrastructure.

Furthermore, SMEs often don’t implement a password policy, so they allow staff to use weak passwords without complexity and to replicate the same password across all of their business applications.

If employees are using their own devices to work (BYOD culture), it is even more important to reinforce a strong password policy and to keep their devices monitored with anti-virus software, as people will use business applications on their own devices, dramatically increasing the risk of vulnerability.

What does a Weak Password Look Like?

Many things constitute a weak password: low character count, obvious dates and names related to you (birthday, favourite sports team, etc.), picking a dictionary word or name, and easy patterns (like 123456, abcdefg, aaaaaa, abc123).

But most importantly, even a strong password can quickly be compromised if you use the same password for every website and account you create. Cyber criminals are continually harvesting passwords from Data Breaches, and if you only use the same, they will eventually get it.

To hack weak passwords, Cyber criminals tend to use the “brute force” technique, which is a piece of software that continues to try many different character combinations every second. They start with the most common variations and even insert data about you to make the program smarter. To have an idea of how long a computer would take to crack your password, check the website How Secure is My Password. The results show how big of a difference a number, symbol or an extra character can make.

How to Create a Strong Password

A strong password by itself is the main component of a strong password policy – but not the only one. As mentioned above, a strong password can also be harvested by Cyber Criminals and used against your organisation. Additional components for any business include:

Complexity: The basic requirements we see on most websites is good practice: at least 8 characters, uppercase, lowercase and special characters.

Automatic Password expiration: Regularly changing passwords every 1 or 2 months will keep your employees much safer against any data breach. By the time Cyber Criminals have found their passwords, they will have expired.

Security tools: Will add more layers of security, either by asking users to confirm their identity, by helping them create and store strong passwords or by securing their applications behind a protected wall of access. We will discuss these technologies below.

Unique Passwords: Which do not repeat across your accounts. By stimulating this, employees would be forced to have robust passwords in place and significantly reduce vulnerability.

Password Creating Techniques

Using a phrase and shortcut codes that mean something to you

This simple technique that enables you to use a famous phrase or quote without making it obvious. One could use a phrase like ‘One Small Step for Man, One Giant Leap for Mankind’ by Neil Armstrong in the form of 1SmSt4Man_1GiLe4MK. If logging in to a music streaming service, like Spotify, the phrase could be related to one of your favourite songs, like Billy Jean by Michael Jackson, launched in 1982 – which could be: BJmylover(not)-82MJ.

One Strong Password Adapted to each platform

This technique involves the creation of one robust password that can be adapted to different platforms. A simple example suggested by our partner Webroot would be:

ABT2_uz_AMZ! (About to use Amazon)
ABT2_uz_BoI€€ (About to use Bank of Ireland)
ABT2_uz_FB! (About to use Facebook)

The Passphrase – Diceware Method

A practical and uncommon way to approach passwords, which logic is explained in the comic below. The basic guideline is to merely pick random words – the more random and the less sense they make together, the better – and write them down one after the other. Due to the high number of characters, brute force techniques would take too long to crack the password and are not viable.

As computers have evolved considerably since the creation of the method, the author now recommends the use of 6 words instead of 4, which you can further complement with numbers or symbols in between for an extra layer of security. The creator of the method recommends rolling a dice and having their random system choose the words for you, which is explained in detail here.

“Draw” on your Keyboard

By having a particular shape in mind, it becomes easier to remember a seemingly random sequence of characters. Thinking about ‘!Qaz2wsx£edc4rfv’ may seem hard, but it becomes easier to remember if you look at your computer keyboard and notice the first 4 columns in sequence, from top to bottom. The use of emojis (=^D) and a combination of other characters may also help to increase the safety of a password without making it too hard to remember.

Drawing on Keyboard

Tools for Business and Users

Fortunately, there are some excellent tools to help SMEs along the way. Multi-Factor Authentication can significantly increase password security, as you are adding a new layer of protection. With an MFA tool, a user must confirm that he is the one accessing the account, with a code, a physical device or something that proves their identity (fingerprint, iris, voice).

So, a hacker who has stolen your password will not be able to gain access unless he has also hacked whichever method you are using for confirmation – which should be incredibly difficult. Some MFA tools already on the market are Duo; Google Authenticator and Microsoft Authenticator.

Another handy tool is a Password Manager, which helps users create strong passwords and stores them safely. This means that you only have to remember one password to access the storage, and it will create randomised strong passwords for you, which you can copy and paste conveniently.

A Single Sign-On Portal is also a useful tool that organisations can utilise. It allows different applications to be accessed from a single page – a portal containing log-in information for each member of staff. Once the tool is configured on a clean and trusted device, the employees will be able to use work applications or accounts without the need to remember or enter passwords and log-in.

Above All, Education

Yet out of all these techniques, education is the most essential factor for Password Security. Tools and policies will facilitate positive change and allow managers to have control, but they are irrelevant if employees don’t follow them and insist on using weak passwords or taking cyber risks.

People are the weakest link in Cyber Security; so it is crucial to schedule training sessions and incident simulations for all new and old staff to keep them up-to-date on new risks, at least once or twice per year. Once they know what they are doing wrong, they will be able to correct their mistakes and improve their security.

Knowing how to protect yourself and what the most common threats are, will take you far in terms of Cyber Security. If you are serious about protecting your business, these are the next steps we would recommend:

Or consider talking to an expert and give yourself some well-earned peace of mind. Talk to us if you have any questions or concerns.

7 Steps to Protect your Business from Cyber Attack

Spector Ascend Continuous Improvement
Photo by Lindsay Henwood on Unsplash

Estimated Reading Time: 4 Minutes

The statistics for Cyber Attacks and Hacking incidents on Small and Medium Businesses are increasingly surprising even for Cyber Security experts. Consider the following data:

  • The average cost of a commercial data breach – including damage to reputation, downtime and fines – is almost €4,000,000.
  • The average time to identify a full data breach is around 200 days.
  • Almost 90% of small to medium-sized businesses that suffer critical data loss due to cybercrime, go out of business within 12 months.

These facts paint a dire picture. The feeling of being targeted by a Cyber Criminal is terrifying, but simple and consistent efforts will greatly improve your defences against such practices. In this article, we take a look at the top 7 steps you can take to protect your business from hackers and cyber-attack.

Step 1 – Training, Awareness and Proactivity

The most important step of all, is actually starting to take responsibility for the cyber security of your own company. This means keeping up to date on current cyber security issues and making sure that they pose no risk to your company. You and your employees will always be the most vulnerable link, and no software can stop you from accessing dangerous links or bringing infected files to the company’s network. People must be educated and be aware of threats while they access work data.

Step 2– Adopt a Cyber Security Framework

The next step for all companies should be to adopt a cyber security framework. If you are starting your journey a simple Framework such as Cyber Essentials is a great place to start. For companies looking to address a higher risk maturity level NIST and ISO 27001 are recognised worldwide and provide a complete system for cyber security management. Any framework will give you the structure and set out clear objectives and goals to allow you to manage your exposure to cyber security risk.

Photo by Chris Barbalis on Unsplash

Step 3 – Secure Your Data

There are a number of things you can do to make sure that your data is protected. Firstly, you should intelligently decide who/what needs access to specific datasets and make sure access control is locked down. You can also protect your data by keeping an offsite backup. In a worst-case scenario, this offsite backup could be used to restore business-critical data. You could consider using the services of a technology provider that will handle this for you, managing your entire backup regime and ensuring Business Continuity.

Step 4 – Trust the Experts

Unless you have the internal resources to monitor network and device access internally, it could be a good idea to contract with a third-party service provider to provide real-time monitoring, risk assessment and mitigation. This would revolve around monitoring the company firewall, and also the internal network. The vendor would continuously monitor usage, and instantly highlight any suspicious activity, before taking the proper action to protect your data. If you feel your company could benefit from these experts and would like more detail, we have an article explaining How a Cyber Security company works.

Step 5 – Encrypt It All

Data is only useful to a hacker if it is readable. One of the best ways to negate the negative results of a successful cyber-attack, is to use end to end encryption. In effect, everything is encrypted, at all times. Therefore, if data theft does occur following a successful penetration of your company infrastructure, the data is useless to the hacker.

Stabilise IT Infrastructure

Step 6 – Monitor Tech Vendors Closely

If you buy in IT services from external vendors, such as cloud storage, SaaS platforms, etc. then you must monitor them closely to ensure they are managing their own cyber security effectively. If a hacker gains access to the infrastructure of a tech vendor, then they are going to also gain access to your business systems hosted by the tech vendor. An SLA needs to be established, outlining exactly what the tech vendor is responsible for from a cyber security point of view. This SLA needs to be monitored closely, and reviewed regularly, to ensure that the vendor is doing all they need to do to protect your data.

Step 7 – Reiterate

Taking steps such as these above, should not be considered as a fire and forget, one shot deal. You will need to constantly revise your cyber security procedures and processes, to keep up with the new methods that hackers and cyber criminals come up with. Best advice would be to set up some kind of cyber security working group, that meets regularly, and attempts to highlight any new or potential cyber security risks.

In Conclusion

These steps above for a guideline on how to protect your company from Cyber Attacks. Each could form the basis of a whole article itself. They have been summarised here, so that they can help you to understand how to shape an effective cyber security strategy, that will help your business stay one step ahead of hackers and other cybercriminals. Hopefully, protecting your critical business data.

Not all of these steps will apply to every company, and there are also other steps that could apply to your own business that have not been covered above. The take away here, should be that unless you take responsibility for securing your own company data, rather than relying on software vendors and hardware suppliers to eventually fix security vulnerabilities, your company is exposed to a potentially catastrophic data breach. One that statistically, it is very unlikely to recover from, or indeed, actually survive.

Cloud Computing: What do I need to know?

Person trying to reach for the Cloud. Cloud Computing: what do I have to know?
Photo by Samuel Zeller, on Unsplash

Estimated Reading Time: <3 minutes

Cloud computing has been revolutionising the technology industry since its conception, and yet this is only the beginning of its true potential.

Storing all business applications and data in the Cloud is now becoming standard practise amongst our clients, but there are many other possibilities within the “Cloud Computing” realm.

We have a full guide on Cloud Migration available in our website. Have a look if you are ready to move your business to the cloud and gain speed and flexibility.

The reality is that the majority of people are still unaware of all the benefits and usages of the Cloud. So, we have complied a list of informative articles and links that will help you to better understand this technology and learn how to use it to its full potential.

If you have any specific concerns, you can always talk to us and we will gladly reply to all your queries. If you are looking for our own Cloud Solutions page, click here.

7 Links for Cloud Computing

  1. 1. If you want clear, concise information, that is straight to the point; a good place to start is: What is Cloud Computing – A Beginner’s Guide, by our partner Microsoft. It is a quick read that covers all the basics. Read Here.
  • 2. For a highly detailed article with complementary data, we would highly recommend this piece by ZDNet – What is Cloud Computing? Everything you need to know about the cloud, explained. Read Here.
  1. 3. Cloud Computing: What it’s like to make the move – If you are thinking about making the move to the cloud, this article provides some great case studies of companies who are using it and how it has been affecting their business: Read Here.
  1. 4. Already decided to make the move? This video will give you a brief introduction to the Top Cloud Providers of 2019:

  1. 5. By now, you may have got to grips with what the cloud actually is but learning how to use it correctly is critical. We have a very helpful blog that will help you to avoid frequent pitfalls: Common Cloud Computing Mistakes and How to Avoid them. Read Here.
  1. 6. One of the biggest concerns regarding Cloud migration is security. We have a great article that details the main steps you should take to ensure that your identity and data remain protected: How to Keep your Identity Safe while moving to the cloud. Read Here.
  • 7. How to manage vendors in a cloud-first world – Managing your vendors demands attention and internal discussion. ZDNet sheds some light on the different kinds of vendors and the approaches you should take to manage them. Read Here.

These are some of the most important topics you will need to know if you want to understand the Cloud and how to migrate to it. It is complex topic, so it’s highly recommended that you talk to an expert if you are considering the move.

Talk to us if you have any queries specific for your industry, or if you want to learn further information about how the migration process works.

Have any suggestions for this blog? Do you feel that some topics have not been covered? Let us know and we’ll gladly update it.

The Benefits of Proactive Monitoring of IT Services

Computer Screens monitoring technology performance
Photo by Farzad Nazifi, on Unsplash

Estimated reading time: 3 minutes

We now no longer have a choice. Operational uptime and business continuity are vital to the survival of all businesses. If you are in doubt, consider the following facts uncovered in surveys undertaken by the Gartner Group:

  • 43% of companies that suffered a catastrophic loss of data and IT capability went out of business immediately.
  • 51% of companies that suffered a catastrophic loss of data and IT capability went out of business within 2 years.

It is critical to remediate these risks in the face of the ever-evolving Cyber Security threat. Central to this risk management are technologies and processes that are supported by Real Time Proactive Monitoring.

The Legacy Approach to Data and Systems Management

In a reactive support model IT issues are handled in a reactive manner. A problem gets noticed by an end user who then raises it with their internal IT department or support provider. Reactive support does not address real time issues and threats. It suffers from a lack of systemisation, poor visibility and little or no accountability on key security and support concerns.

The result? This leaves you exposed to real time threats, data loss and potentially catastrophic outcomes such as the loss of the key business systems.

IT Performance Report on computer screen
Photo by Chris Liverani on Unsplash

Why a Structured Approach to Proactive Monitoring is Critical

Proactive monitoring is an IT industry term that covers the real time monitoring of all of your key IT assets, processes and data management. It requires a detailed understanding of how you use technology in your business so that monitors can be tailored to you needs.

Some forms of proactive monitoring are always on. For example, monitoring of firewalls and other network infrastructure designed to deal with intrusion and threat detection. Other forms of proactive monitoring are rule-driven. For example, checking backups for consistency or deciding what security patches to apply in specific time windows.

Proactive Monitoring and Managed IT Services go Hand in Hand

As more firms move to an outsourced or co-managed It services model, it makes sense to shift the responsibility for proactive monitoring to the managed IT services provider who have the scale, experience and skills to manage this complex set of systems.

Your managed IT services provider should be able to offer full monitoring and management of issues such as:

  • Prioritizing and applying patches and hotfixes.
  • Managing application licenses and seats.
  • Managing hardware warranties and service SLA.
  • Monitoring security infrastructure such as firewalls.
  • Managing antivirus alerts and ensuring virus definitions are up-to-date.
  • Monitoring of resource usage, and intelligent scaling of cloud resources.
  • Monitoring the daily backup schedule and ensuring the integrity of backups.

Most importantly of all, your IT provider needs to perform a risk analysis of your business and identify what is critical to your operational uptime. For a high volume transactional business this may be the core ERP solution and a high frequency of backups to protect data. For a professional services firm this is more likely to protect data integrity and the ability to meet deadlines. Each business will have different pressure points and Proactive monitoring needs to be tailored to meet each need.

In Conclusion

When discussing or investigating proactive monitoring for your business ask you provider searching questions about how they can uncover your core risks and how their monitoring solutions can address those risks. More importantly make sure that all monitoring solutions feed directly into your helpdesk and issues remediation solutions. This provides true 360 degree support and issue remediation.

Your IT services company will need to be compliant with all GDPR legislation regarding data security and privacy. They will be able to grandfather this compliance on to your own company, simplifying your compliance efforts significantly.

Overall, shifting to proactive monitoring provides faster and more robust support, administration and management of you technology. This translates into better operational uptime, secure business critical systems and peace of mind among other benefits.

If you need specific details of how proactive monitor can benefit your business, please get in touch with us or call us at 01 664 4190

How to Smoothly Transition to a New IT Services Provider

Switching is Easy
Photo by Nathan Dumlao on Unsplash

Estimated Reading Time: 4 Minutes
There can be no doubt that the trend of moving in-house IT infrastructure over to managed IT and cloud services, has provided massive benefits for many enterprises. Simplified compliance, less administration overhead, streamlined application deployment and lowered cost of ownership to name but a few.

However, what happens when an IT provider begins to fail in providing an adequate service standard and the client needs to move to a better provider? In this post, we examine the issue of switching IT service provider and discuss how you can easily overcome it.

Is Migrating to a New IT Services Company a Good Idea?

Moving to a new IT service provider is never a completely effortless task. It takes careful consideration and planning to pull off successfully, without a break in services. So, it is important to decide if you can possibly salvage your relationship with your current provider.

In most cases, we have found that it is mutual dissatisfaction – if you are not happy with your provider, the chances are they are not very happy to work for you either. So if the fear of switching is preventing you from moving on, remember it is usually to the benefit of both parties that you transition.

Knowing When it is Time to Move IT Services Company

As with any type of relationship, it is generally the proverbial straw that breaks the camel’s back which triggers the desire to shift to a new provider. However, a more educated way to make such a decision, would be to monitor any potential trigger events, that could indicate your current provider may need to be replaced. Events such as:

  • Your provider exposes your company to data loss through an ineffective backup regime.
  • Your provider exposes company data to a security vulnerability though ineffective data security protocols.
  • Your provider fails in their duty of GDPR compliance.
  • Your provider fails to meet the SLA that both parties contractually agreed to.

These are just a few of the signs that your current IT services provider may need to be replaced. Of course, problems do happen from time to time, and a single isolated incident such as those mentioned above, is not a strong indication on its own. However, when issues like these become regular occurrences, its time to start thinking about switching to a more capable provider.

Change of times - Transition between green and brown fields
Photo by Elizabeth Lies on Unsplash

How Easy is Switching IT Service Providers?

This is the million-dollar question. And the answer is going to depend entirely on how much you rely on managed IT services as part of your enterprise technology stack. If you are only relying on cloud storage, and the provision of desktop apps such as Office365, then migrating will be very simple indeed.

However, if you have integrated managed IT services into your DevOps cycle, and depend on cloud services as the service platform for business-critical applications, then migration becomes slightly more complex.

A recommended way of confronting the task, is to choose the right time to make the shift – when the effort of doing so is diminished in some way. More on this below.

When to Switch IT Service Providers?

The trick to minimising the impact of switching providers, is timing the switch to coincide with an event that, in itself, requires some effort to action.

For example, if you are replacing a current enterprise application with a new one or are beginning a large project to develop a new one. Performing network or infrastructure upgrades would also make a good pivot point for a migration. Even process changes, such as reworking how compliance is handled internally could be a good time to change.

Due to the changes being made, it makes sense to offload an old provider. So rather than performing an upgrade, rollout or deployment, you can simply set up the new infrastructure, application or processes on new managed IT platform, before switching off the old services.

Preparing for the Transition to a new IT Service Provider

Getting ready to move providers is probably the most arduous task as it will require careful planning. First in establishing the penetration of the current services, and how they need to be replaced. And secondly, in coming up with a testing plan to ensure the migration was successful. Here at Spector, we help to ease this transition with our tried and trusted onboarding process which migrates any risks and ensures minimal disruption to your business and staff.

Consider a Period of Parallel Running

It makes good sense to perform a transition from one service provider to another, and leave both in place for a period of time, before cancelling the old services. This gives the enterprise the ability to fall back on the old services, if part of the migration has been handled badly, or something simply doesn’t work.

In Conclusion

Moving from one IT services provider to another may take a little time and effort but if your current provider has been letting you down, it is far better to expend a little manpower and resources to move to a more reliable company, than struggle on with one you no longer trust.

We hope this post was helpful. Read more on our blog for more on business technology, or contact us if you have any specific concern regarding a switch of providers. We have a lot of experience in that, so we may have useful advice to offer.

What can a Cyber Security Company do for my Business?

Business woman cyber security
Photo by rawpixel on Unsplash

Estimated Reading Time: 7 Minutes
Cyber security and Information Security can be cloudy businesses for most industry outsiders and non-technical individuals. Unfortunately, this often means that people only realise its importance when they are in the middle of a crisis. We have listed the core activities performed by Cyber Security companies below. Simply click on the topic of your choice for an explanation of the activity and how it can bring value to your business.

Patch Management

What is it:

Patch management is the process of repairing vulnerabilities in infrastructure systems.  It is vital to reduce risk and mitigate threats to your business. Once a vulnerability is discovered, it usually takes cybercriminals only a few days to learn how to exploit it, so this is an ongoing and critical activity.

How is it Done:

To ensure Patch management is successful, the following process should generally be adhered to:

Evaluate Patch – Test patch – Approve patch – Deploy patch – Verify Deployment

Hardware patching is rolled out by Spector engineers once they have been tested and Verified, to ensure that it will not cause errors. Critical third-party software patches are monitored by Spector engineers who advise clients when patching is required. We can conduct all of this in the background, so it will not hurt productivity.

Data Back Up and Disaster Recovery

What is it:

Second only to its employees, a company’s most important asset is its data. It is therefore critical that data remains confidential, authentic and available throughout its life cycle. For this reason, a Cyber Security company will always have it as one of its priorities. Back up is the process of copying data and storing it to prevent loss of vital company information. What is less well-known and just as important, is the concept of Disaster Recovery: the act of restoring these copies to a live environment. In short, this implies knowing how long it will take for your systems to be back up and running again, and how much data has been lost in this process. Disaster Recovery is crucial so stay tuned for a further article on this topic very soon.

How is it Done:

First, we must develop a Business Continuity Plan to define exactly what the procedure will be in the case of a disaster. Then we will discuss what the recovery objectives are, in terms of data and time, to define the best solution. We at Spector provide onsite and cloud backup solutions, and regularly test these backups to ensure client data remains available and that recovery is possible.

Access Control

What is it:

Access control is the process of implementing Security Controls to regulate who has access to resources in a computer environment. Assets and resources should be identified, then classified based on their importance and confidentiality. This ensures that only the appropriate employees have access to critical data for their roles, such as the company’s financial report or strategic plans. Access control is essential for Cyber Security as it minimises risk and prevents Data breaches within your business.

How is it Done:

At Spector we tend to manage Access Control through some simple procedures and tools. First, we use Active Directory groups, which are levels of access that employees will be assigned to. These groups are then assigned to resources, such as files and folders, and members of the groups are allowed to access these particular resources

Tools as Multi-Factor Authentication (explained below) and Single Sign-On may also be used to define these levels. A Single Sign-On portal is a location for all your applications, which is protected and restricted for company members. With this portal in place, users don’t see the actual passwords for individual applications and can be easily added or removed, ensuring protection.

Firewall Management

What is it:

Firewalls are the first line of defence for your company’s infrastructure. They block or allow unauthorised traffic, both inbound and outbound. Having a firewall is great, but if it is not monitored, patched and its alerts being responded to, then it is not really doing its job – and thus bringing a massive risk to your business. It is the equivalent of leaving your company with its office doors wide open.

How is it Done:

Firewall management is the monitoring of internet traffic in and out of your company. A Cyber Security company will acquire and configure your firewall, to ensure maximum safety. We will also monitor the firewalls 24/7/365 and receive reports directly to our service desk. Therefore, if an intruder comes along, we will know immediately and block his access.

Anti-Malware

What is it:

Anti-malware – which also includes Anti-Virus – is a security application designed to detect, prevent and remove malicious programs and codes from Information systems. It can also provide protection for online browsing, communications and transactions. Anti-malware protection is a must for companies to protect against the ever-evolving cyber security threats.

How is it Done:

At Spector we provide Anti-malware protection through our partners, on a subscriptions model which will cover the company’s computers, laptops, servers and mobile devices. We will manage the alerts and patch the software to ensure it is operating effectively. Having anti-malware protection in place can prevent the loss of data, reputation and finance.

Multi-Factor Authentication

What is it:

We have a 1-page PDF guide explaining how Multi-Factor authentication (MFA) and Single Sign-On work, available here.

MFA is the method of a user proving his/her identity by providing a minimum of two instances of authentication – something they have, something they know or something they are. The main benefit of Multi-Factor authentication is the extra security provided by adding multiple layers of protection. Indeed, the more layers a company has in place, the less risk it has of an intruder gaining access to their network resources.

How is it Done:

We can configure your systems and critical applications to set up Multi-Factor Authentication. Spector uses third party applications, tokens and Single Sign-on portals to provide Multi-Factor authentication. These tools will generate a code to the user that must be typed in or activated for login – this ensures that a cybercriminal will not have access to your accounts, even if they know your password.

Email and Spam protection

What is it:

E-mail is one of the main online gateways into a company, and one of the most used channels by Cyber Criminals. Phishing attacks, viruses and Spam are more than a nuisance and can compromise data and systems very quickly. A sophisticated Cyber Security company will usually offer these types of services too.

How is it Done:

We utilise a third-party software, The E-Mail Laundry, to set up filters and analyse sender domains and email servers. The E-Mail Laundry also scans for specific keywords, attachments and techniques used by spammers to identify if a message is safe. We are constantly monitoring the software’s activities, and if it finds suspicious content, it will send the user a quarantine report where we can decide to either release or block similar messages.

Endpoint Encryption

What is it:

Encryption hides information in plain sight, by translating it into a code that cannot be easily guessed. Only individuals with the specific encryption key will be able to access the information. It is becoming increasingly important as workforce becomes more mobile, with laptops and tablets that contain critical data. If an employer loses one of these encrypted devices, he could rest assured that classified data would not be compromised.

How is it Done:

We will encrypt and protect the devices’ disks, meaning that anyone without the user’s credentials cannot access it. From then, the information will be automatically encrypted. For the employees it is as simple as typing in your username and password, but for a criminal it is almost impossible to access.

Training and Education

What is it:

Security awareness training is a formal process to educate employees about cyber security and data protection. It is one of the most important activities a company can take part in, as the Companies employees are its front line of defence. This is especially important today as Social Engineering and Phishing attacks are becoming more and more common.

How is it Done:

A good security awareness program should educate employees about the corporate policies and procedures for working with information technology. We normally train people through awareness training videos and tests, which enables people to learn in their own time. Subsequently, we will keep them vigilant through eventual Phishing email tests, designed to fool employees and alert them about threats. These procedures can later be used to provide proof of training for Auditors and to reiterate how much a company cares about Cyber Security.

Cyber Security Policies

What is it:

A Company’s policies are high-level principles and guidelines adopted by an organisation to communicate its goals and expected outcomes. Without policies a company does not have a blue print to work towards and standards can widely differ throughout the Company. Therefore, having a set of policies should standardise how a Company works and the expected levels it works to.

How is it Done:

Establishing a policy should be the first step in terms of Cyber Security, as it serves as the base for defining procedures and technology. If policies are not in place, then there will always be an extra risk element decided by chance. We at Spector can provide a number of IT and cyber security related policies, along with a framework for a company to work towards. This is an imperative for reaching Organisational Maturity.

 

These are the main services that companies tend to offer under the Cyber Security umbrella and provide an overview of how companies like us operate and the benefits they can bring to a business. If you have any questions that was not covered, search our Blog for other articles or get in touch.

My identity has been stolen. What to do now?

Criminals may ask for Ransom if they steal your Identity
Photo by William Stiff on Unsplash

Estimated Reading Time: 5 Minutes
If you have reasons to believe your Identity has been stolen, you should act quickly and try to mitigate the damage done as soon as possible. In this post, we will explain the main actions you should take if your accounts have been hacked, if your device has been stolen or if you are being blackmailed.

Follow the next steps and you will address most of the potential outcomes. If you are already going through this, we may not be able to jump in quickly enough, but we can help to protect your business against this threat in the future. Talk to us if you want to learn more.

This is part of our series of blog posts that cover the topic of identity theft. In our previous posts, we explained what is identity theft, how it happens and the key signs that would indicate you have been a victim of identity theft. If you want to read all this information in one place, download our Essential Guide on How to Avoid Identity Theft.

Steps to Take as Soon as Possible If Your Identity Has Been Stolen

Once your identity has been stolen, you must assume that the person who stole it has access to every one of your online accounts. They will also be able to take real-life criminal actions using your identity. However, it is the online accounts which can cause the most damage, in the shortest time. So, let’s deal with these first. But before you do anything else, make sure that the device that you are using is safe and clean of viruses, otherwise you may be giving the cyber criminal even more critical information!

  • Secure your email account. Log in, change the password, change the security questions, and make sure your mobile number is correct.
  • Log in to your online banking. Check your current bank statement and your credit card statements. Are there any suspicious transactions? If so, contact your bank immediately and have them cancel your credit/debit cards. Change your password and other security information.
  • Log in to any payment gateways you use, like PayPal or similar. Check that there are no suspicious If there are, contact support straight away. Change your password, other security data, and remove any funding sources such as credit or debit cards. You can add them back later, but for now, removing them stops anyone making payments via the gateway using your identity.
  • Log in to any online merchants that you often purchase goods from, that have your payment details stored. Change your password and security data. Remove any automated funding sources that would enable a person to make a purchase without knowing your card details.

Once you have covered these four issues, you have minimised the chance of an identity thief being able to use online transactions to commit a crime.

Later Steps to Take If Your Identity Has Been Stolen

Once you have taken the emergency procedures above, it is time to move on to the things you should do after, in order to stop an identity thief using your identity in real life to commit crimes.

  • Report the theft of your identity to the Garda. This is a criminal act that you have been the victim of. Get the Garda involved as soon as possible.
  • Inform your bank that you have been the victim of identity theft so that they can put a more stringent level of transaction monitoring in place. Most banks will be happy to do this, as it diminishes their own risk.
  • Get hold of a copy of your current credit report. This report will help to highlight any fraudulent activity, such as taking out credit in your name.
  • Visit each website that you use regularly, change all of your passwords and update your security information. Everything from Facebook to your personal blog.
  • Start monitoring your bank and credit accounts closely, as well as online payment gateways, to ensure that no suspicious activity is still occurring.

Dealing with Ransom Emails after Identity Theft

Some cyber criminals have no intention of using your stolen identity to commit theft or fraud. Some are far more interested in blackmail. Why? Because this type of crime can be carried out without ever having to put themselves at risk. It is entirely anonymous and leaves no paper trail.

Sextortion is a common form of blackmail that identity thieves often try. It can take many forms. In its simplest form, the cybercriminal will threaten to send compromising pictures of yourself to everyone on your contact list, unless you send them a certain amount in Bitcoin or some other cryptocurrency. This video report found on BBC News shows more on how it happens and what you should do.

The best way to deal with this kind of blackmail is to contact the Garda. Often people will avoid this for fear of embarrassment, but please remember that this is a serious situation. There is likely to be an organised group of criminals behind the scenes, so the Garda will treat the case with its due seriousness and advise you on specific steps to collect evidence. However, there are a few things you can do to help yourself, while the Garda get up to speed.

  1. Change the password and security information for your email account.
  2. Stop communicating with the blackmailer – don’t reply to emails or any type of message.
  3. Capture screenshots of any chat conversations the blackmailer has with you.

It is important that you do not pay the ransom, as there have been cases in which the criminals continued to request higher amounts or simply released the threat anyway. If you are sure the blackmailer no longer has access to your email account, you can take the following steps:

  1. Consider sending an email to your contacts, informing them that you have been the victim of identity theft and that any suspicious email they receive from you, should be ignored.
  2. Consider posting on your social networking sites that you have been the victim of identity theft, to let people know they could receive suspicious emails from you in the coming days.

What You Need to Do If Your Smartphone Has Been Stolen or Lost

A lost or stolen smartphone is one of the most dangerous events regarding identity theft. Consider all of the information that could be stored somewhere on your smartphone. Site logins, transaction histories, important files from work, and many sources of precious information. If your smartphone has been lost or stolen, take the following steps:

  1. Try to find it – Apple, Android and Windows phones can all be tracked using online tools. Methods will vary depending on which type of phone you own.
  2. Change passwords – for your main accounts such as email, online banking, and all apps that you commonly use.
  3. Contact your phone carrier – and tell them the phone is lost or stolen. In some cases, they may be able to help locate the phone, but in all cases, you can stop the phone being used to make calls.
  4. Contact any affected parties – such as your employer, whose data may have been exposed to risk due to being stored on your phone.
  5. Remote wipe – Every smartphone using Apple iOS, Google Android and Microsoft Windows, can be remotely wiped. Methods will differ between phone operating systems.

Insurance against Identity Theft

Another way of protecting yourself is to hire a private insurance or protection service. Specialist companies, such as Lifelock and IDShield, can help you to monitor key warning signs of identity theft by providing automated alerts in the event of a detectable threat, and often provide financial aid to cover your expenses and losses should the worst occur.

Some offerings will be included in addition to your regular home, auto and traveller’s policies, and you may be assigned a case manager who will personally assist you with recovery and the next steps you need to take to be safe.

Not only do these services save you time and money, but they can provide you with peace of mind.

In Conclusion

Identity theft is a serious problem and one that cannot be fixed instantly. Undoing the damage that a cybercriminal has done could take weeks or even months in the worst cases. We hope that this blog post is able to help you if you are ever to become the victim of identity theft.

For more details on this topic and to learn how to avoid it, please take a look at the following suggested content:

If you need specific advice in a similar situation, feel free to contact us from Spector at  01 664 4190 and we’ll provide you with assistance.

Are you cybersafe? Assessing Your Personal Risk of Identity Theft

Are you cyber safe? Assessing Identity Theft
Photo by Abigail Keenan

Estimated Reading Time: 5 Minutes
This is the third article in our Identity Theft series. The first post worked as an introduction to identity theft, while the second explained how it happens, and the many security vulnerabilities that enable it. Please feel free to go back to those if you are looking for more information on this subject.

Alternatively, download our Free Essential Guide on How to Avoid Identity Theft to have all information in an illustrated PDF guide.

In this post, we are going to talk about you, and the online habits that could put you at risk of identity theft. Not only will we be revealing the kinds of suspicious activity that may indicate you have been targeted by a cybercriminal, but we will discuss why a strict password policy is crucial, and how to implement one. Finally, we have a simple self-test for you, to help evaluate your own personal cyber security.

Data Leaks prompt Identity Theft

Major company data breaches have occurred over the past decade, where even the most cautious user could not have avoided having their information leaked. Yahoo alone has suffered data breaches that have exposed the personal information of all of its 3 billion accounts. When we add in other major data breaches of the last three years, the total comes to over 4.3 billion cases. Dropbox, eBay, and LinkedIn were among the high-profile targets.

Infographic on Largest Company Data Breaches in the last decade

If you are looking for more information on Data Breaches, view this detailed Infographic by Hosting Tribunal, highlighting the 15 biggest cases in 15 years.

Any of these data breaches could have exposed a user’s personal data to a cybercriminal, which could then be used as the initial seed of identity theft. Remember, it only takes one piece of critical personal information in the hands of a cybercriminal to put you at risk personally.

We recommend using this online tool to check if your credentials have been leaked. If you have been the victim of some of the circumstances above, you could use this site to verify if your identity is available for criminals to take.

Suspicious Online Activity and Its Implications

Although identity theft primarily takes place online, many of the initial signs that you have been targeted will become apparent in the real world. Indeed, the symptoms of identity theft often do not occur until after the data breach has already occurred. The cybercriminal will have spent some time selling your identity on, and then the perpetrator of the crimes will carry them out. All of the suspicious activities below could indicate that you have been the victim of identity theft. If two or more of these things happen, you can be certain you have.

  • You spot banking or debit/credit card transactions that you don’t recognise, or strange payments being sent from services such as PayPal, Skrill or Neteller.
  • You realise that you are not receiving all of your usual snail mail, such as bills, etc.
  • Online or real-world payments are declined when you use your debit/credit card to pay.
  • Your personal credit report shows loans or other types of credit that you never applied for.
  • You are contacted by a collection agent to chase you to pay for something you did not buy, or to make loan or credit repayments for financial products and services that you did not apply for.
  • One of your insurance policies such as medical or motor insurance fails to allow you to claim due to missed premium payments.
  • The records of your health plan activity show treatments for an injury or illness you never suffered.
  • You receive communication from a previous employer, telling you that they may have exposed your personal data to theft.
  • You start to receive emails from online vendors, recommending that you take advantage of an upgrade offer, or a discounted addition to goods or services you never purchased online.

A Strict Password Policy Helps

We have all been guilty of using a weak password at one time or another. If you use multiple websites regularly, it can be very tempting to use the same simple password for every site to make things easy. Of course, this is a terrible idea in relation to your online security. Establishing a strict password policy is your first line of defence against hackers. Always make sure that:

  • You always use a password of more than 8 characters
  • You use lowercase, uppercase, numbers and symbols in every password.
  • You do not use the same password for more than one site.
  • You do not keep a note of your passwords, or some type of hint document to help you remember them.
  • You don’t use passwords that are easy to guess – birthdays, obvious dates or names that are important to you.
  • You never share your passwords with anyone.
  • You change your passwords regularly.

We have a complete guide on How to Create and Manage Passwords, available on our website. Check it out if you want to learn the best techniques to create strong passwords that are easy to remember.

If you have not been using such a password policy, and you start to notice strange activities such as those mentioned in the section above, change your passwords using such a policy ASAP.

A Password Manager is a very useful tool that will generate strong passwords and keep them safe for you, behind an encrypted barrier. There are many of these available on the web or app stores.

Your Identity Theft Self-Test

In this section we have a short identity theft self-assessment test you can work through, to discern your own personal level of risk. Answer each question with a yes or no.

  1. 1. You check your credit report regularly.
  2. 2. You check your bank and credit card statements, against credit/debit card receipts.
  3. 3. You know the approximate billing cycles of your credit cards, loans and other financial services and can spot a discrepancy.
  4. 4. You destroy personal documents before you throw them away.
  5. 5. You destroy all of your household mail such as utility bills before you throw it away.
  6. 6. Your snail mail is delivered to a locked, secure mailbox.
  7. 7. You post your snail mail at the post office, and not in a public post-box.
  8. 8. Your mail is collected and held by a family member or friend while you are away.
  9. 9. You do not take part in internet surveys, or other requests for information.
  10. 10. You keep important data and documents safely located at home.
  11. 11. You do not carry all of your credit cards and chequebooks at all times, only the ones you need.
  12. 12. Any paperwork you have to submit to an organisation, such as your employer, has personal information that they do not need to see blanked out.
  13. 13. You think twice before you post anything on Social Media or your personal blog.
  14. 14. You do not use a weak password.
  15. 15. You do not use the same password for your online accounts.
  16. 16. You change your passwords regularly
  17. 17. You have multi-factor authentication enabled for your online accounts.
  18. 18. You have an Anti-Virus or Anti-Malware software active on your devices.
  19. 19. You do not open e-mail attachments or links from strangers.
  20. 20. You always confirm with a person if they are asking you to perform any money transfer over e-mail or social media.
  21. 21. You are generally security conscious, and regularly take common-sense driven actions to protect your personal information.

If you answered no to:

14 or more questions – your Identity is in danger;
9 to 14 questions – a lot to improve;
4 to 9 questions – good, aware of the main risks;
3 or less – excellent, vigilant.

Always remember that you are the first line of defence when it comes to your own cybersecurity. Acting in a safety-conscious manner at all times is the best way to deter cyber criminals and keep your identity safe from identity theft. Hopefully, you are becoming an expert in Identity Theft. Our next blog post will tell you what to do if your identity has been stolena question that we hear a lot from our customers.

To have all this information in one place, including exclusive methods, data and tools to avoid Identity Theft, download our Essential Guide. It’s an illustrated PDF with all the knowledge you and your staff may need to avoid facing this threat.

How Does Identity Theft Happen?

How Does Identity Theft Happen - man taking a picture with his phone
Photo by Fabrizio Verrecchia on Unsplash

Estimated Reading Time: 5 Minutes
Hopefully, you have already read part one of this series of blog posts on identity theft. Following on from the initial post which gave a primer on identity theft, this second part covers how identity theft is perpetrated.

We have all this information available in PDF, along with the best tools and techniques to make sure your identity is safe. Our Essential Guide is available here.

Identity Theft is a Prolific Cyber Crime

Before jumping into the meat of this post, take a look over some of these facts, they demonstrate very clearly that identify theft and cybercrime in general, is a major issue, and one that is trending upwards.

A recent survey undertaken by Eurobarometer in Ireland demonstrated that a third of the 1,000 people who took part, had been the victims of some form of malware attack. Further facts uncovered included:

  • 13% indicated that they had lost out financially to some form of online scam.
  • 57% confirmed that they often open emails from people who they do not know.
  • 26% of them change their password at regular intervals.
  • 75% use the same password for multiple websites.
  • 10% had been the victim of credit/debit card fraud or a similar crime.

And when it comes to identity theft, 9% of the people who took part had been the victim of this cybercrime. This is almost 1 in 10 people.

How Your Online Identity is Exposed to Risk

All cases of identity theft share one common similarity. That the cybercriminal was able to gain access to some critical piece of personal information, which allows them to begin the process of stealing an identity. There are many ways that we expose our own personal data to the risk of loss, including:

  • Theft or loss of a wallet or purse – that contained personal documents such as driving license and credit/debit cards.
  • Theft or loss of a device – such as a tablet, laptop or smartphone, on which the owner has stored critical private data.
  • Stolen snail mail – containing documents such as credit card or bank statements, tax information or letters with personal data.
  • Dumpster diving – whereby a criminal goes through the garbage a person has thrown out looking for documents containing critical data (again, such as credit card or bank statements and tax information)

In most occasions, however, a criminal doesn’t need to physically act to steal an identity. There are many alternatives for that in the digital environment that facilitate this activity, such as:

  • Insecure network connections – that are not secured behind a firewall or are vulnerable to some form of cyber attack.
  • No enforced strict password policy – allowing users of a website to create passwords that are weak and easily cracked using the brute force method or are easily guessed. We have an article with insights on how to create and manage stronger passwords here.
  • Being phished – when a user falls for a phishing scam, and inadvertently gives their own personal data away. Learn how to identify a phishing attempt and train your staff to avoid this threat.
  • Corporate data leaks – a number of organisations today probably maintain records that include your personal information and bank or card details. If the company fails in their duty to keep this data secure you could be exposed to risk.

Of course, there are far more risks than these we have covered above; these are simply the most common.

How Stealing an Identity Involves Just a Simple Process

You don’t need any special skills, or even much technical knowledge to steal a person’s online identity. All it takes are basic Internet skills and a lot of patience. Depending on the target, it could be done in less than an hour.

Identity theft begins with a fact-finding mission. The cybercriminal will try and learn as many facts about the victim as they can. This is shockingly easy to do. Sites such as Facebook and Twitter can provide information such as the names of family members and pets, the bank you use, where you work, the significant dates in your life (birthdays, anniversaries, etc.), your favourite restaurants, the kind of TV shows you like, and the list could go on and on.

Other sites, such as those that provide a database of criminal offences, county court judgements and even bankruptcies can also provide good data.

Simply plugging a person’s name into a Google search can often bring back masses of information about a person, especially if they are a prolific blogger, or maintain active profiles on services such as Spotify.

Once the cybercriminal has enough information about you, they then have many options open to them. They can use the information to try and gain access to services such as Gmail. How many sites ask us to set security questions such as, “What was the name of your first pet?”, “What was your Mother’s maiden name?”, or “What was the name of your first school?”. It is very simple to see how a person, knowing the kind of information about a person that would be used to answer these questions, can very easily gain access to such services.

Another option is that the cybercriminal can use the information that they know about you, to try and gain information in another way. For example, if an identity thief were trying to gain access to your online banking. If they know enough about you, they could call your bank, and do a sufficient job of convincing the people on the other end of the phone that they are you.

The Enabling Technologies of Identity Theft

All a cybercriminal needs to carry out identity theft is a computer/laptop and an Internet connection. No special devices or specialised software is used at all. That’s not to say that a well-rounded cybercriminal won’t have tools at their disposal that they use for other purposes, which could help with identity theft. Tools such as a network packet sniffer, or a brute force password hacking application.

No discussion of identity theft would be complete without mentioning the Dark Web. This is a hidden, private network of websites that are not typically accessible unless you know exactly where to find them. They don’t appear in search engines, and they work in a slightly different way to standard sites.

The Dark Web is the wild west of the Internet, with no policing or moderation. It has been used for everything from dealing drugs to hiring a hitman. A massive amount of information of interest to identity thieves is available for free, or for trade on the Dark Web. This is also where identity thieves sell identities that they have already stolen. Criminals pay an average of $160.15 to obtain an online banking account, and they can access other accounts for much cheaper according to this article by NBC News.

Curious about how much is your information worth out there? Check the graph below:

Infographic How much is your information worth in the dark web

In Conclusion

This second part of our series on identity theft has hopefully demonstrated how shockingly simple it can be to steal a person’s identity, even if they have taken steps to protect it. The take away here should be that although there are things you can do to protect your own digital identity, we all rely on multiple third-parties to “keep their end of the bargain” and make sure they store our critical data securely. One layer of security is not enough and has to be reinforced by multiple tools and vigilance.

For the next part, we will recommend tools to assess yourself and find out if your identity has been compromised.
Alternatively, if you want to skip ahead you will learn what to do if your identity has been stolen, with the last part of the series.

We have an Essential Guide on How to Avoid Identity Theft available for download with information from our articles and additional details on tools and methods to stay safe from this threat. Please feel free to check it out and talk to us if you need assistance or would like to provide feedback.

The How What and Why of Identity Theft

Identity Theft Part 1
Photo by rawpixel on Unsplash

Estimated Reading Time: 4 Minutes
Since 2012, the number of cases of identity theft has risen each year. What does this trend demonstrate? That the victims are becoming more susceptible to identity theft, or that the thieves are getting smarter? Our findings show that both are true.

Personal data is available everywhere, from profiles scraped from social networks to corporate data breaches, and criminals are able to use this data against users on a larger scale than ever before. They are generally multiple steps ahead of people and companies that are not prepared for them.

Below, you will find the first part of a series of posts, that will take a deep dive into the issues of identity theft: what it is, how is it done and how can you assess and protect your identity. In this introductory post, we cover the bare essentials that everyone needs to know about identity theft and how digital criminals use it to enable a number of crimes.

If you prefer to read it in PDF, our Essential Guide on How to Avoid Identity Theft is also available for download. 

What is Identity Theft?

Recently, we have seen an example of mass identity theft being used to blackmail victims into buying Bitcoin from the criminal. The Sextortion Scam” works by emailing victims their password, so that the victim can clearly see that the extortion attempt is not fake. The victim is then threatened by telling them that unless they purchase a number of Bitcoin, the thief will email compromising pornographic pictures to their entire address list.

“Your password is XXXX. Want to know how I know this?”

In its simplest form, identity theft will be deemed to have occurred whenever a criminal illegally gains access to a person’s personal information and uses it to “spoof” the victim’s identity for nefarious purposes.

The cyber criminal will target data such as ID number, Personal Public Services Number, bank account numbers and credit card information. This data is then used in a variety of ways, such as renting vehicles, applying for credit cards and loans, opening bank accounts, etc. All of these transactions will appear to have genuinely been made by the victim, who will then be financially accountable for them.

This is the classic form of identity theft. Unfortunately, criminals have diverged from this model, evolving new, more complex scams that target particular end results.

What Forms can Identity Theft Take?

In the modern digital age, identity theft takes many different forms. Many of which have very specific goals. Below, is an overview of the most common types of identity theft:

  • PPSN theft – the criminal will capture the victim’s PPSN, and then use it to embezzle finances from the victim by assuming their identity. Or they may use the PPSN as a stepping stone to applying for other documents such as a passport.
  • Financial theft – the criminal will capture key financial data, such as credit card information. This data is then used to procure additional finances, such as applying for new credit cards, personal loans, or taking on high ticket price items such as cars under a finance agreement, which they then resell.
  • Criminal activities – the criminal will use a spoofed identity if they are caught perpetrating some form of crime.
  • Medical/insurance – the criminal will use the social security number, other medical identification numbers, or medical insurance data, to obtain medical services and treatment, which the victim will have pay for.
  • Driving offences – the criminal will use the driving license of the victim to avoid being prosecuted for any number of driving offences.

These are the most common forms that identity theft can take, there are more, although none as prolific as these above.

Who Perpetrates Identity Theft and Why?

An important aspect of understanding digital identity theft is knowing how the end-to-end process of stealing an identity works. From initial data theft, through to gaining benefit from this data illegally, generally involves several parties. Most usually, the person responsible for stealing the identity will intend to sell it on to other criminals, who will then use it themselves in one of the ways outlined in the previous section.

This makes tracking down the initial perpetrator of identity theft very difficult. More usually, the criminal using the identity for illegal purposes will be caught, with the original identity thief remaining at large.

Indeed, many of the hackers who successfully gain access to the kind personal data required to spoof an identity, live in countries far removed from the victims’. The identities they have stolen have little value to them as a digital asset. Their only value is in selling them on to criminals near their regions.

Protecting Your Digital Identity

Your main weapon in the war against identity theft is common sense. Obviously, never share your passwords with anyone, as the human factor is one of the most likely to cause a leak. Even if you trust them implicitly, they may mistakenly expose your passwords to identity thieves. Of course, using technology such as malware detection applications is highly beneficial as well.

Another option, one that is gaining traction, is to use two-factor authentication for key websites such as online banking, email access, etc. Using two-factor authentication involves having a unique passcode sent to your cell phone as an SMS message every time you log in to a site.

We have a lot more detailed information available for download, including specific tools and techniques recommended against Identity Theft. If you want to dive deeper into this topic, make sure to check our Essential Guide on How to Avoid Identity Theft.

The threat of identity theft will not be going away anytime soon. Each year, the cybercriminals become more proficient, and the task of preventing cyber crimes becomes more complex. Believing you will not be a target is very much like hiding your head in the sand until the threat passes by. You need to take responsibility for protecting your own critical private data by adopting best practices, training your staff and hiring specialists, tools and insurance to minimise the risk of identity theft.

What’s Next

This has been a general introduction to the topic of identity theft and hopefully has left you with a basic understanding of the concept. If you are ready to learn more about this critical topic, please check the following articles in the series, or download our PDF Guide:

Part 2: How Identity Theft happens
Part 3: How can you find out if your identity has been stolen
Part 4: My Identity has been stolen, what to do now?
Guide: Essential Guide on How to Avoid Identity Theft

Thank you for reading.

You already use artificial intelligence at work

You-already-use-artificial-intelligence-at-work-Spector-Dublin

In fact, if you have a mobile phone that has access to the internet then chances are you use artificial intelligence at home, during the commute, and on holidays too. This is assuming you use Google, because Google is a form of artificial intelligence (AI).

Google uses AI

Surprised? It may sound like a bit of a stretch given that Google has been around since 1998 and AI is only really beginning to take off. But Google has improved a lot over the years, so much so that it now does a very good job at reading our minds. We take it for granted because the changes, although momentous, have been incremental but it is amazing how with only a couple of words – sometimes just one – Google’s search function can infer what we are looking for from over 30 trillion web pages. Google is a master at finding the needle in the haystack!

But how does Google qualify as AI, you ask? Google uses machine learning technology to detect patterns across users’ behaviors so to better interpret what a single user is searching for. Their secret Hummingbird algorithm learns from batches of historical searches, so it can be quick and precise in its response, just like an actual hummingbird. It may not sound very exciting, but AI doesn’t just refer to killer robots!

What is AI?

The general understanding of AI is when a machine has the capabilities to demonstrate a level of intelligence previously reserved by humans. But this is a very simplified understanding of AI. For those in the know, there are 4 main types of artificial intelligence:

1. Reactive AI

This refers to machines that cannot use past experiences to influence decision-making, but instead analyse the situation at hand to decide what should happen next. A prime example of this is Google’s AlphaGo – a machine that has beaten the world’s top players of the notoriously difficult board game known as Go. This type of AI does not have any conceptual understanding of the world it is in. It’s function instead is task-specific and, as in the case of AlphaGo, this type of AI is superior at executing its task at superspeed!

2. Limited memory AI

This kind of AI can log a limited amount of memory to influence its reactions. A prime example of this is autonomous cars. These machines can recognise road markings and changes in the speed limit while recognising the position of other cars on the road for safe lane changes, etc. However, limited memory AI does not learn from its experiences. Instead, the information logged is kept on a short-term basis and, therefore, there are no learnings available to be applied to new situations.

3. Theory of mind AI

This is AI that can learn. With a constantly evolving library of experiences remembered and drawn upon in every situation, this type of AI can make autonomous decisions. However, there is more to it than that. The phrase theory of mind comes from the ability to understand that people and creatures in the world have mental states, such as desires, beliefs and goals. Being able to grasp this concept is the building blocks of human communities. This is the next step for AI, and it’s a biggy.

4. Self-aware AI

By the time machines become self-aware, then they will also be super intelligent, surpassing us in almost every way. The day a machine asks “Why?” is the day it can create representations about itself. This self-aware AI does not mimic humans but rather can exist for its own purpose. However, we’re not there just yet so there’s no need to start preparing for the robot apocalypse!

AI at work

Back to reality! Currently, we are still getting to grips with number two in the list, limited memory AI. However, even today, AI is already affecting our everyday working lives.

Just like how Google can detect patterns in user behaviour, sophisticated CRM tools can predict patterns in customer behaviour. Machine learning algorithms on company websites can now personalise content for specific users based on their historical activity with the company. With business intelligence platforms, AI can spot industry trends over time and remind us to adjust our resources accordingly. AI is helping businesses to automate tasks, such as reporting, financing and hiring, while virtual assistants aid with administration. Ultimately, AI is removing the tedious tasks from our workflow so that we can focus on adding value to our business.

Cloud computing is an important step towards an AI friendly workplace. By storing data in the cloud, a seamless stream of information is created which flows between all levels of the organisation. The next step after this is the self-learning enterprise, where everything is talking to each other and AI is interpreting the data for autonomous, strategic decision making. At Spector, we truly believe the technological investments you make today will greatly impact your competitive edge in the very near future.

Are you looking to take your business IT infrastructure to the next level? Make sure to give us a call on 01 664 4190 or contact us for a chat about your IT challenges and needs. We are always happy to offer some sound advice on how you can best support your growing business.

4 Ways Business Technology Can Reinvigorate Your Sales Team

4 ways to give your sales team their mojo back with business technology - Spector- Dublin

Remember that ‘90s film Glengarry Glen Ross? Although set before the times of modern business technology, it is generally considered a must-see for any sales team. It’s easy to understand why, with strong lead performances and numerous quotable lines expressing the dog-eat-dog nature that is stereotypical of sales. However, it’s a tad out of date at this point, for a few reasons.

Today, ‘sales shark’ is a dirty phrase and being able to wing psychological tactics on the spur of the moment isn’t considered a viable strategy. These days consumers, whether they are B2C or B2B, have wised-up and the shrinking effect of the global marketplace means that competition is rife. Sales teams everywhere have had to seriously up their game. Now, real-time data, quick response times, instant communication and effective time-management is separating the serious players from the bottom-feeders. Business technology is what is making all this possible.

It’s said in Glengarry Glen Ross that “Coffee’s for closers only” so, with that in mind, let’s have a look at four ways business technology can give your sales team their mojo back so they can enjoy their coffee in peace!

Business technology for the modern sales team

1. Customer Relationship Management (CRM) for real-time data

Every company has data. Data isn’t the problem. The challenge is organising and understanding the data so that meaningful insights can be obtained. CRM software does this for you by collecting customer data from every corner of your company and systematising it in the one place for easy access and comprehensibility. Now you have a holistic view of your customer-base and, if your CRM is in the cloud, it can be accessed by your sales team from anywhere at any time.

This is invaluable for the sales team who needs to know where along the sales pipeline customers are, at any given moment. Depending on what type of company you are, you can quickly find out information such as what customers are most likely to buy due to their history with your company, the best way to contact them, problems they may have had in the past, when they are due for an upgrade, their order status, etc. With a cloud-based CRM, not only can your sales team tap into this actionable data, but they can add to it while they’re on the road.

2. Video conferencing for instant communication

Speaking of being ‘on the road’, the sales team is typically on the move more than most functions in an organisation. Getting your sales team together in the one place for a meeting or training can be a challenge. Video conferencing is a great way to include everyone in the conversation while keeping communication effective. While emails, instant messaging and phones calls all have their purpose, video conferencing brings back that all-important face-to-face interaction which is vital for motivation, important decision-making and crystal-clear communication.

Video conferencing is also a great way to cut down on travel expenses and save time. If your sales team is finding that half their time is spent getting from A to B, then perhaps some clients would be better suited to a video conference call. If this is done right, then the result should be that more meetings can be had in less time.

3) Automation for effective time management

People are essential to sales. However, there are some tedious aspects of the job that would be better off automated. According to SalesForce, sales reps spend 25 hours a month leaving voicemails! The amount of emails that are sent doesn’t bear thinking about… A lot of these communications are very repetitive. For example, a follow-up call to a meeting may go something like this, “Hi it’s Joe Bloggs here, it was great meeting you the other day. I’ve got some news that I think you might be interested in. If you could drop me a call on 081 234 5678 that would be great. Thanks!”. Some tools will automate this message for you so that you can send it at a click of a button whenever you need.

More time-consuming aspects of the job can be automated too, such as reporting, lead prioritisation, meeting scheduling, etc. There are plenty of tools on the market to choose from that that provide automation capabilities. It’s just a matter of finding out where your sales team is spending the most time and what can be done to speed up the process.

4) Social media for prospecting and relationship building

According to an iReach survey, 90% of Irish people have a smartphone, and the top three uses are emailing, social media and checking the news/weather. So, the nation is online, but is your sales team? Simply put, if your target customers are online, then your sales team needs to be as well.

Social selling is all about interacting directly with clients online to generate leads and build customer relationships. Platforms such as LinkedIn are making this easier for companies every day. LinkedIn helps with prospecting by matching you with your target audience with details such as role, industry, interests and education. Your sales team can reach out to prospects within interest groups or directly via the messaging function. This is a great way to maintain relationships while also building new ones.

Technology is affecting all aspects of business, and your sales team is just one of them. Your frontline needs to be appropriately equipped for modern times, and this means arming them with technology that makes their workday as productive as it can be. Just remember, business technology shouldn’t require your sales team to turn into software operators. You have to choose the right technology to fit in with your company’s culture. Ok, you can go get yourself a well-earned coffee!

At Spector, we are always happy to offer sound advice on how you can grow your business with business technology. Make sure to give us a call on 01 664 4190 or contact us here for a chat about your business goals.

What is a VoIP system?

What is a VoIP System - Spector IT Solutions - Dublin

Voice over the Internet Protocol (VoIP) refers to a type of technology which makes it possible for users to make calls using a broadband internet connection rather than through the conventional method of a landline phone system.

Many large sized companies have caught on to the rising popularity of the VoIP system in recent years. However, there are still a number of SME businesses who are wary of adopting this form of communication technology in fear of poor audio quality or expensive implementation fees.

Spector’s unified communication solutions provide your company with an extensive range of modern telephony to enhance communication and in-house collaboration while also ensuring cost savings and real value.

Benefits of implementing a VoIP system

A VoIP system offers businesses numerous benefits from the moment of implementation especially in terms of improving their overall communication offerings:

Cost savings

Operating a VoIP system is significantly cheaper than utilising a traditional landline service. This service also means that you no longer have to maintain separate networks for both your phones and your data. As all telephone calls are hosted through your internet broadband provider it results in reduced local, long distance and mobile roaming costs for the business and employees.

Improved flexibility and mobility

VoIP systems can be incorporated into your existing landline via VoIP adapters. These adapters are portable allowing users to take telephone calls over a dedicated VoIP number in any location providing they have an internet connection. This provides employees with a multitude of benefits in terms of flexibility as calls will be diverted through the hosted VoIP phone system straight to the employee’s phone regardless of whether they are at home, in the office or travelling.

Increased productivity

Having the ability to make calls over the Internet allows users to also integrate various software programs such as email and fax via the same telephony system. An employee can place outbound calls through their email client or access voicemail accounts straight from their desktop. This helps to improve the overall productivity of a company by ensuring that users have the opportunity to multitask via the telephony system without distractions or interruptions. Spector’s presence control and managed IT solutions ensure that you can continue to collaborate with colleagues and clients in real time at all times.

Easy implementations and scalability

Hosted VoIP software systems are easy and inexpensive to install. There is no hardware installation needed, all that is required is an IP phone. Due to this, it also cuts down on the cable cluttering associated with the traditional telephone systems. The scalability of the IP infrastructure also makes it easy to add or remove components without any hassle.

Multi-functional

VoIP systems are not just for making calls. The IP infrastructure also includes the functionality for hosting video conferencing and video calls. This function allows businesses to stay up to date with client meetings and continue collaborating with in-house employees regardless of where they are. This eliminates the need of being physically present for important meetings and maintains communication and productivity levels. Spector provides one-stop-shop teleconferencing and video conferencing solutions providing your business with continued client face time.

Spector’s unified communication solutions ensure that your business experiences all of the benefits that a VoIP system has to offer. If you are unsure as to whether your current telephone system or Internet bandwidth is capable of supporting a VoIP system, one of our expert technical engineers can assess your current infrastructure and advise you on the best communication strategy for going forward. If you have any questions about the unified communications services that Spector provide, please contact us today.

The human factor behind compromised passwords

The Human Factor Behind Compromised Passwords - Spector IT Solutions - Dublin

This article was originally posted on www.renaissance.ie.

A lot has been written on passwords and their role in keeping our networks and data safe and secure, with malware infections spreading more rapidly than ever (it is estimated that 1 in 4 people will fall victim to a data breach by 2020 – “Naked Security”) In the immortal words of Alexander Pope “To err is human” and that has never been more accurate when it comes to compromised security credentials. As humans we like to keep things simple, for example, we tend to keep passwords succinct due to an inability to remember long and complex words or numbers, we even write them down. Furthermore, we like our credentials to be pretty much the same or at least the same format across a variety of devices, and applications and accounts.

Two of the most common ways in which credentials can be compromised…

  1.  Credentials are unlawfully hacked – In this specific case, the hacker gains the freedom to navigate remotely around the network with full privileges. There are a number of ways to combat this; firstly, the password must be… Read more.

GDPR – what does it mean for the SME?

GDPR What does it mean for the SME - Spector IT Solutions - Dublin

The General Data Protection Regulation (GDPR) which comes into effect in May 2018 will have an impact on the way in which businesses process and store the personal data of EU citizens. Many businesses, especially SME organisations are concerned as to how exactly this new regulation will affect their business.

As was mentioned previously, this regulation will build on an existing framework of current data protection and cybersecurity laws in the EU in order to bring data protection into line with new developments in technology.

Spector is industry experts in data protection and cybersecurity and can offer your business peace of mind in knowing that you are fully prepared for the incoming GDPR legislation.

How will it affect the SME?

The GDPR expects all businesses, regardless of size, to fully comply with the regulation by the time of its implementation next year. It is expected that SME companies manage their data processing and risk management in the same way and to the same extent as larger organisations.

However, there are a number of exemptions which appear to make allowances to the SME organisation and the smaller risk that these companies may pose to the privacy of EU data subjects.

One of the main requirements under the GDPR is for organisations to appoint a Data Processing Officer (DPO). It is unlikely that this requirement will affect SMEs unless your organisation is processing large amounts of personal data relating to sensitive data i.e. ethnicity. However, it is advised to appoint an outsourced DPO to ensure that you are compliant and that your data protection strategy is up to date.

In the case of minor data breaches, where the breach in data protection does not cause serious harm to the privacy of an individual there is no obligation to report this breach to the individual.

How should an SME prepare?

If you have not started preparing for the introduction of the GDPR it is important, as an SME company, to do this as soon as possible. Below is a guideline of important areas to focus on while preparing for GDPR compliance:

Determine the need to appoint a DPO

Even if your company does not process a large quantity of sensitive data, it may be beneficial to appoint a designated DPO in order to help with ensuring compliance and in order to drive accountability.

Document your data processing procedures

It is advisable to keep records of all your data processing activities immediately and to be efficient in documenting these activities on a regular basis. Spector’s consultancy services can offer your business an IT roadmap to help you in determining the best approach method to data processing.

Examine your level of risk

Determine your company’s potential risk areas of a data breach in terms of the privacy rights of customers. If you feel that your company may be at risk of a data breach, it is important to put the necessary business and data protection procedures in place.

Make sure that you are transparent when dealing with privacy concerns

Ensure that your customers are completely aware of the way in which you will be processing their data and acquire the necessary consent before processing customers private data.

As part of the Spector Protect Package, our service will provide your business with a one-stop-shop solution to IT security, risk management and data protection. Our protection solutions include multi-layered support, disaster recovery and GDPR preparation. Get in contact with us today for all your compliance concerns!

How often should you reassess your disaster recovery plan?

How Often Should You Reassess Your Disaster Recovery Plan - Spector IT Solutions - Dublin

Implementing a disaster recovery plan as part of a business continuity process (BCP) is an essential requirement for all businesses. In a complex technological landscape, having reliable backup and recovery solutions in place is beneficial for ensuring your IT efforts and data are protected. However, having disaster recovery solutions in place are of zero value if they are not regularly tested and verified.

What are the benefits of regular assessment of a disaster recovery plan?

Regular assessment of your disaster recovery solution offers multiple benefits to organisations. The most notable one is that of ensuring your business avoids major data loss. Without frequent testing of your disaster recovery plan it is impossible for your business to be aware of how well your disaster recovery solutions will operate when called upon in a crisis. Many organisations test their disaster recovery plan on initial implementation yet fail to tend to the necessary maintenance thereafter.

By testing at regular intervals throughout the year, your business can identify any internal configuration issues or potential data risks and readjust your disaster recovery solution accordingly to ensure that your internal data and the sensitive data of your clients are efficiently protected. Spector offers disaster recovery reviews, image verification and DR testing as part of our Business Continuity Package to help you ensure that your BCP procedures are in line with industry best practice.

At what frequency should my business test our disaster recovery plan?

The frequency at which a disaster recovery plan should be tested and reassessed depends on the size and the needs of your organisation.

It is generally advised that you ensure backups are working as they should daily by automated notification if issues arise, verify backups will function when called upon quarterly and engage in a rigorous DR test at least once a year.

Spector carries out daily checks on client’s backups to ensure back up continuity, we provide all our clients with a quarterly health check on backups and a yearly full disaster recovery test as part of our Managed IT Services Package.

Tips to keep in mind when carrying out an assessment test

When carrying out your initial assessment, it is important to set benchmarks for future testing such as recovery time objectives and recovery point objectives. The purpose of these is to ensure that your processes are hitting the mark each time.

The Recovery Time Objective (RTO) is the maximum amount of time a computer system or part thereof can be down once a disaster situation occurs. The Recovery Point Objective (RPO) is the age of files in the past that must be recoverable from a backup for normal operations to resume after a disaster situation occurs.

Companies need to ensure each assessment is documented fully and process continuity occurs during each test to ensure results are accurate and reliable if a crisis occurs.

Spector’s business protection services ensure that your organisation is protected against unwanted cyber attacks and unexpected data losses at all times. We provide back up and disaster recovery solutions from an ISO 27001 and Cyber Essentials certified data centre. If you have any questions regarding your disaster recovery solutions, contact us today.

 

5 areas for cybersecurity innovation in 2017

Five Areas for Cybersecurity Innovation in 2017 - Spector IT Solutions - Dublin

This article was originally posted on blog.fortinet.com by Michael Xie on February 27th, 2017.

R&D in cybersecurity

The world never stands still. In the technology space, this means that constant innovation and discovery is the key to a solution provider’s survival and growth. In the cybersecurity arena, this creed is even more vital. Many hackers are brilliant people. There’s only one way to get the better of them – be even more brilliant. And faster and more creative.

Which is why R&D is crucial in the security technology business. Cybersecurity solution providers must deliver open, integrated security and networking technologies that enable enterprises to see and react rapidly to changing attack techniques, increase proactivity, and scale and provision their security along with business growth. To cope with this breadth of demands – sometimes in very short time spans – technology providers need to be able to cross traditional boundaries, allowing them to innovate…Read more.

Cyber Essentials – what’s in it for me?

Cyber Essentials Whats in it for me - Spector IT Solutions - Dublin

Cyber Essentials (CE) refers to a cybersecurity certification scheme backed by the UK government and industry supported. This scheme was launched in April 2014 to assist organisations in protecting themselves from common cyberattacks and has quickly become an invaluable health check baseline and roadmap for businesses wishing to improve their cybersecurity.

What does the Cyber Essentials Certification cover?

The Cyber Essentials certification offers businesses a solid foundation of basic IT and cybersecurity knowledge in order to support them in their efforts to strengthen vulnerabilities in their security controls and practices against data breaches and cyberattacks.

The scheme focuses on five key areas of cybersecurity protection

Secure configuration

All computer and network devices should be configured to reduce the level of security vulnerabilities. Spector’s Managed IT services use policies, implementation procedures and security controls to ensure your devices are not at risk.

Boundary firewalls and internet gateways

The use of boundary firewalls and secure internet gateways ensure the protection against unwanted and unauthorised access from the Internet. Spector offer strategy consultancy services to ensure that your organisation is compliant with all areas covered within Cyber Essentials.

User access control

User access control should be managed effectively to ensure that only the most trusted and authorised users are granted high-level access privileges to sensitive data.

Patch management

Any software program can fall victim to security vulnerabilities. An organisation needs to have an adequate patch management structure in place and update all software programs effectively.

Anti-virus and malware protection

Any computing device that is connected to the Internet should have protection in place in the form of anti-virus and malware protection software. Spector’s business protection services ensure that all devices are protected against malicious malware viruses and attacks.

What benefits does it offer my business?

Implementing the Cyber Essentials certificate as part of a cybersecurity risk management plan has proven to be beneficial for numerous companies. Not only does it ensure that your business is adequately protected but it also demonstrates to potential clients that you are proactively taking action to be compliant with cybersecurity policies.

The certificate allows organisations to focus on their core objectives in the safe knowledge that they are striving to protect against cyberattacks and limit the financial losses that are associated with internal data breaches. It also aids in driving business efficiency and improving productivity.

Does my business need a cybersecurity certification?

Ignoring cybersecurity is no longer an option. With the incoming General Data Protection Regulation (GDPR) in May 2018, all organisations will be required to oblige to the protection of personal data and will suffer significant fines if a data breach occurs. For this reason, implementation of the Cyber Essentials certification will help ensure that your organisation endeavours to be fully compliant under the GDPR.

Spector is a certified partner of the Cyber Essentials certification scheme and offers this accreditation as part of our Compliance Package. Our services provides your organisation with a wide range of solutions, from IT security to risk management. If you have any questions regarding GRC, technology or cybersecurity, call us today.

 

Common cloud computing mistakes – and how to avoid them

Outsourced It Support

If you want to learn more about Cloud Computing, read our article What do you Need to Know about Cloud Computing.

This article was originally posted on cloudtweaks.com by Brian Wheeler on November 28th, 2016.

Cloud technology: nothing is as simple as it appears

One of the first lessons in order to avoid common cloud mistakes with anyone entering the tech field learns is that nothing is as simple as it appears to be at first glance. That lesson goes double for companies implementing a hybrid-cloud strategy. Yes, it is possible to achieve the “best of both worlds” ideal of public-cloud efficiency combined with private-cloud security and control. Just don’t expect to get it perfectly right on your first try. Take some tips from those who have been there, done that, and then done it again the right way.

The first mistake made by many cloud computing neophytes is choosing the wrong cloud. No, the cloud isn’t this monolithic entity that you simply plug into like a power outlet. In a November 2016 article on TechTarget, Marc Staimer identifies six different kinds of public-cloud storage:

  • Block storage is local embedded disk or SAN storage best suited for high-performance applications.
  • File and NAS storage work best for apps requiring NFS or SMB protocols.
  • Three different types of object storage are available for active archiving, cool archiving, and cold archiving.
  • Tape storage, usually in the form of a linear tape file system, is also used for cold archiving.

Block storage provides the lowest latency and the highest IOPS and throughput, but it is also the… Read more.

How to keep your identity safe while moving to the cloud

How to keep your identity safe while moving to the cloud - Spector IT Solutions - Dublin

Cloud computing has become part of the IT strategy used by both companies and individuals in recent years for storing data. However, with any new development in IT and computing, the question surrounding security is raised. Spector knows how important it is for companies and individuals to ensure that their identity and data are kept safe and secure at all times.

When moving to the cloud there are a number of steps and processes that you can take to ensure that your identity and data will be protected from both internal and external risks:

Assess your cloud provider

When moving to a cloud service provider, individuals may often feel that there is a lack of transparency surrounding how their data will be handled, especially in the event of data loss or a data breach. For this reason, it is important to assess your cloud service provider and their security protocols such as security policies and disaster recovery systems. Spector provides a range of solutions both on public and Spector’s private cloud infrastructure that ensure data security and backup using our centralised policy management.

Look for standards

Make sure that your chosen cloud service provider meets the industry recognised standards needed to ensure identity and data security. Depending on the country in which you live these standards will vary but the most widely recognised include ISO 27001 and CSA STAR.

Use robust password protection

Password security is one of the most important requirements for moving to the cloud. People have a tendency to use the same passwords for multiple software applications, email addresses and websites. Putting secure password protection policies in place, changing your passwords often or alternatively using a strong passphrase will help reduce your risk of exposure to your data on the cloud.

Ensure secure remote access

As cross-device accessibility to the cloud has become the norm, it is important to ensure that all of your devices are secure. Spector advise our clients to implement Bring Your Own Device (BYOD) security policies and a strong user access control framework within your organisations to ensure mobile security on all devices. If you are using a public cloud service provider for personal use, it is essential to use multi-factor or a minimum of two-factor authentication. Spector can offer these policies as part of our Spector Protect Package.

Practice data encryption

When moving sensitive data to the cloud it is always advised to use encryption. There are many different methods in which to do such as password protection and zip files. Your chosen cloud service provider should give you details of the level of encryption they use in the service-level agreement (SLA).

If you want to learn more practical and useful information about Cloud Computing read our article What you Need to Know about Cloud Computing.

Spector provides managed IT and cloud security solutions from an ISO 27001 certified data centre. Our services include business protection, multi-layered data security and disaster recovery to ensure that your data is protected at all times and in all cases when using the cloud. If you have any questions about cloud service provision or Spector’s suite of services, call us today.

 

GDPR – what is it?

GDPR What is it - Spector IT Solutions - Dublin

The General Data Protection Regulation (GDPR) is a new regulatory legislation which will come into force across all EU member states on May 25th, 2018. It aims to bring data protection legislation into line to reflect the new and unforeseen ways in which data is now being used.

The legislation focuses on giving individuals more control over how their personal data is processed and will also introduce harsher fines for non-compliance and data breaches. It applies to all businesses established within the EU which process personal data and also applies to any non-EU business that handles data related to EU citizens.

As industry experts of cybersecurity and data protection, Spector will work with your business to ensure that you are ready for the introduction of the new legislation.

What counts as personal data?

Under the GDPR, the definition of personal and sensitive data has now expanded to include:

  • An individual’s name
  • Location data
  • Online identifiers such as IP addresses and cookies and;
  • An individual’s genetic and biometric data

Preparing for the implementation of the GDPR

Your business will be required to adhere to the following GDPR data protection principles:

DPO

Businesses that regularly monitor individual’s personal data on a large scale must appoint a Data Protection Officer (DPO) and a Data Protection Controller. The DPO must be an expert in data protection law and privacy.

Privacy by Design

Businesses must ensure that the privacy concerns of individuals are kept at the centre of all decision making. Spector offers strategic consultancy services which will ensure that your business is making the right data protection decisions.

Consent

Consent must be freely given, specific, informed and clear. All individuals must be made aware of their data being handled and their right to withdraw their consent.

Security

If a data breach occurs, businesses are required to follow a mandatory procedure and notify their local data protection authority within 72 hours. Spector offers the highest level of security and business protection services to our clients to prevent unwanted data breaches.

“One stop shop”

This concept requires businesses to adopt a consistency mechanism that will ensure a uniform application of the GDPR across the EU.

Penalties

Businesses in breach of the GDPR will be forced to face considerable fines.

We offer a range of multi-layer data protection solutions to meet your business’s data needs from endpoint protection to compliance requirements. If you have any questions surrounding how to prepare your business for the upcoming GDPR, call us today and we will outline the most appropriate strategy to take to ensure your business is compliant.

 

5 advantages of managed IT services for SMEs

Cyber Security

In today’s fast-moving business world, your organisation depends on solid technology to help you squeeze the most out of your available resources. Good technology solutions allow businesses to scale up smoothly and effortlessly.

However, a business can find itself in a catch 22 situation when they need to upgrade its infrastructure but don’t necessarily have the budget available to bring in a full-time IT professional. The answer…Managed IT services. With a managed IT solution you can fill this gap and deliver many advantages. A number of those key advantages are outlined below.

No Need for an Internal IT Team

This is probably the biggest advantage of a managed IT solution. Your company has IT needs, but you don’t need someone around all the time. If you didn’t have to worry about bringing on a full-time person to take care of your systems, you could make investments elsewhere in your business. Managed IT services act as your on-demand team, so you don’t have to go through the hiring process for IT professionals. If you do have employees on hand to manage your technology, managed IT services can take the burden off of them.

Managed IT Grows With Your Business

You have your eyes on the future, and you don’t want to run into a situation where you outgrow your technical support. Managed IT service providers grow with you, allocating the right resources to your business at each stage of your journey.

Pay Only for the IT Support You Need

Full-time employees get paid whether they’re working on projects or not. How much downtime would your IT staff have at your small business? You only pay for the support you need with managed IT services, rather than breaking the bank on an idle worker.

Gain Access to IT Expertise

Technology forms the backbone of many small businesses, but gaining the technical know-how to understand it inside and out takes years. Don’t waste time trying to learn about highly technical topics. Focus on your core areas, while the managed IT service provider brings specialised IT knowledge to the table at a fraction of the cost of an employee.

Get Your Technology Projects Completed

Many small business employees juggle multiple job duties. Everyone pitches in when necessary, but you run into some major problems if you treat technology projects the same way. Employees may put infrastructure changes on the back burner while they attend to other critical needs. Managed IT services give you a dedicated team that can finish the job quickly and reliably.

You can’t get around the fact that you need a strong technology infrastructure to succeed in a global business economy. Customers build up their expectations from big-name companies and expect small businesses to be just as snappy. You don’t have to stretch your resources thin and compromise your growth plan to afford an in-house IT department (that you don’t even need all the time). Use managed IT services to supplement your expertise gaps, and get reliable technical support and advice on-demand.

Our team supply Irish SMEs with the IT support and services that they need every day. Get in contact with us today for a quick chat about your IT pain points.