Are You Doing Your IT Due Diligence?

Are You Doing Your IT Due Diligence?IT Due Diligence

The words “due diligence” may make you think of a courtroom drama on television. Surely, that’s something only lawyers have to worry about? Not so fast. Due diligence is something your business can be doing, too. Are you covering the basics?

Due diligence is about taking care and being cautious in doing business. It extends to how you manage your technology, too. You may think you’re immune to a data breach or cyber-attack, but cyber-criminals can target you regardless of business size or industry sector.

Depending on your industry, you may even have compliance or regulatory laws to follow. Some insurance providers also expect a certain level of security standards from you. The costs associated with these cyber incidents are increasing, too. Don’t leave your business vulnerable.

What due diligence involves

Technological due diligence requires attention to several areas. Generally, you’ll need to show the following:

  1. Each staff member has a unique login. Require complex, distinct passwords. Educate your people to protect these (e.g. not write them on sticky notes that sit on their desktop).
  2. You have a process in place for regular data backup. We recommend a 3-2-1 backup strategy. Keep three copies of your business data. One on the cloud with the other two on different devices (e.g. on your local computer and on a backup USB drive).
  3. You patch and upgrade security consistently. Ignoring those reminders and waiting for the next release is risky.
  4. You’ve installed antivirus software. You won’t know your computers are infected until it’s too late. Be proactive.
  5. Email filtering is in place. These filters help protect your business from spam, malware, phishing, and other threats.
  6. You have installed firewalls to monitor and control incoming and outgoing network traffic.
  7. You limit user access. Instead of giving everyone full access, set conditions based on role and responsibility. This approach minimizes vulnerabilities.
  8. There are physical security procedures to limit access to your environment. You might install security cameras, fence a perimeter, and require RFID scanning in protected areas.
  9. If your company lets employees use their own phones, laptops, or tablets, have a Bring Your Own Device (BYOD) policy in place. Installing mobile device management software is useful, too (and we can help with that!)
  10. You test your security, too. You can’t take a set it and forget it approach to securing your network, systems, and hardware. Ongoing testing will help you identify risks, repair vulnerabilities, and protect your business.

It can also help you to prove that you’re being diligent by:

  • keeping copies of any training provided and employee handbook messaging;
  • updating your organizational chart regularly;
  • vetting contractors/vendors before granting them access;
  • having a policy in place that quickly denies access to any former employees;
  • inventorying all devices on your network.

IT due diligence protects your business. Meeting these security standards can also cut costs and preserve your brand reputation. Demonstrating vigilance helps you avoid hefty compliance or regulatory fines and fight litigation. In the event of legal action, you’ll also want to prove the efforts you made. So, be sure to thoroughly document all IT security efforts.

Due diligence doesn’t have to be difficult. Our experts can help you determine the best preventative measures for your organization. Some business risks will pay off, sure, but when it comes to your IT, caution will have the best results.

 

Give us a call at 319-227-7000 for your IT needs.

2019-10-08T12:05:19-05:00October 8th, 2019|Security|0 Comments

The Dark Web and Its Impact on Your Business

The Dark Web and Its Impact on Your BusinessThe Dark Web

Business owners today know the internet is not only a force for good. Some people exploit the Web for ill intent. They congregate on the Dark Web, and small businesses need to understand the risks.

What is the Dark Web?

You and your employees spend time daily on the Web. They’re researching clients, checking out competitors, and searching for information. They are not accessing the Dark Web. The Dark Web houses dangerous, often illegal activity. This includes black-market drug sales, illegal firearm sales, and illicit pornography.

The Dark Web’s collection of websites is inaccessible using standard search engines or browsers. Users employ a Tor or I2P encryption tool to hide their identity and activity, and they spoof IP addresses.

To go into the Dark Web, you also need to be using the Tor or I2P service. Plus, you’d need to know where to find the site you are looking for. There are Dark Web directories, but they are unreliable. The people on the Dark Web don’t want their victims to find them. Ultimately, it’s not somewhere you or your employees need to be.

So, why do you need to know about it? Because Dark Web users can buy:

  • usernames and passwords
  • counterfeit money
  • stolen credit card numbers or subscription credentials
  • software to break into people’s computers
  • operational, financial, or customer data
  • intellectual property or trade secrets

The Dark Web is also where someone can hire a hacker to attack your computers.

The Dark Web business risk

The Dark Web itself isn’t illegal, and not all its traffic is criminal. It is also visited by journalists and law enforcement agencies, and it’s used in countries prohibiting open communication.

Yet the number of Dark Web listings that could harm your business is growing. A 2019 research study found that 60% of all listings could harm enterprises, and the number of those Dark Web listings has risen by 20% since 2016.

Business risks from these Dark Web listings include:

  • undermining brand reputation
  • loss of competitive advantage
  • denial-of-service attack or malware disruption
  • IP theft
  • fraudulent activity

With media attention on data breaches impacting millions, it’s easy to think a small business is not at risk. However, bad actors don’t target a business for its size, they look for ease of access.

Dark Web information is up to twenty times more likely to come from an unreported breach. Privacy specialists told a Federal Trade Commission Conference victims included medical practices, retailers, school districts, restaurant chains, and other small businesses.

Reduce your risk

If your information ends up on the Dark Web, there’s little you can do about it. The bright side, at least, is that you would know that your business security has been compromised. Be proactive instead. Keep your security protections current, and install security patches regularly.

Consider a unified threat management (UTM) device, or UTM appliance. The UTM plugs into your network to serve as a gateway and protect your business from malware, illicit access, and other security risks.

Your UTM security appliance can provide:

  • application control
  • anti-malware scanning
  • URL and content filtering
  • data loss prevention
  • email security
  • wireless and remote access management

Or let a managed services provider (MSP) take care of all aspects of protecting your business. Pay a consistent monthly fee for an MSP to handle all your technology, patching, monitoring, and assessment needs.

Stay on top of the latest cyber-security threats with an MSP, or learn more about installing a UTM. We can help protect you from the dangers of the Dark Web. Call us today at 319-227-7000!

2019-09-03T12:24:25-05:00September 3rd, 2019|Security|0 Comments

How to Destroy Data Properly

How to Destroy Data Properlydestroy data properly

When we accidentally delete something, it feels like the end of the world. If a client file or new presentation is deleted, you may have to start again. Oh no! Yet deleting files is not as permanent as you may think. When it comes to destroying data properly, you’ll want to take a more thorough approach.

Deleting items, or “trashing” them, doesn’t permanently remove them from computer memory. While the data is still stored on your device’s hard disk, it’s possible someone could restore that deleted data.

Data does reach a point at which it’s no longer useful, and you are no longer required to maintain it. Nevertheless, it may still be valuable to cyber-criminals. Bad actors can use names, addresses, credit card numbers, banking accounts, or health data. You need a policy to destroy paper records, magnetic media, hard drives, and any other storage media.

Your obligation to protect customer and staff information extends to properly destroying all identifying data. Installing a new operating system isn’t going to do it. Encryption doesn’t do the job if the cyber-criminal can figure out the password.

Some industries require you to prove you have correctly destroyed all data. Even if you have no compliance standards to meet, carefully dispose of any computer-related device. Whenever you are recycling, discarding, or donating an old computer, disk drive, USB stick, or mobile device, make sure the data is already properly deleted or destroyed. Otherwise, criminals could get their hands on confidential business information.

Fully, Safely Destroying Your Data

So, what do we mean by “properly” destroyed? You know about shredding paper documents. You can actually do the same with some devices. You might send the computer or device to a company with a mega-shredder. When compliance matters, keep a record of the chain of custody of the data throughout the process.

Overwriting the data, often called zeroing, is another solution. No data is properly deleted until it’s written over – that’s where the information is hidden under layers of nonsensical data and cannot be retrieved through disk or file recovery utilities. Think of this as writing three new books over the top of the pages of an erased book rather than just ripping the pages out.

With magnetic devices, you can neutralize the magnetism (degaussing) to break down the data. This scrambles up the data beyond recovery. A strong degausser will turn the device into a shiny metallic paper weight. An ultraviolet erase could be necessary for some erasable programmable memory. You might also need to perform a full chip erase.

If you’re really committed to destroying data, physically destroy the device. There’s the shredding solution, or you might actually pay to have the device smelted or pulverized.

Other Components to Destroy with Data

Don’t forget proper disposal of printers, too. Run several pages of unimportant information (maybe a font test) before destroying a laser printer. With an impact printer (if you still have one!), you’d want to destroy all ribbons, too.

One last element you might think about? Business monitors. You’ve probably seen a computer screen with information burned onto it. Before donating or recycling a monitor, inspect the screen surface and destroy the cathode ray tube.

Now, that’s what we call being thorough about properly destroying data. Need help with proper disposal of computer data or equipment?

We can help. Contact our experts today at 319-227-7000!

2019-07-25T10:04:35-05:00August 6th, 2019|Security|0 Comments

Handle with Care: Sending Data Securely

Handle with Care: Sending Data SecurelySending Data Securely

In our digital economy, we send and receive information quickly online. The Internet offers immediate communication with colleagues, clients, vendors, and other strategic partners. Yet we shouldn’t prioritize convenience over data security.

What data do you send in a day’s worth of emails? Sensitive data you send might include:

  • personally identifiable information (PII);
  • credit card or payment card information;
  • attorney-client privileged information;
  • IT security information;
  • protected health information;
  • human subject research;
  • loan or job application data;
  • proprietary business knowledge.

The problem is people sending without thinking about the security of the transmission. One way to gauge the need for security is to consider how you might send that same information via the postal service. Would you put that data on a postcard that anyone could read? Or would you send a sealed, certified mailing and require the recipient’s signature?

Transmitting data on the Internet in plain text is like the postcard – anyone can read the information. And before you think that no one can actually see your data in transit, think about where you are sending from. Your office network may be password protected and secure, but what if someone waiting for their coffee at Starbucks opens the message using the free Wi-Fi network?

Anyone can intercept communications on open networks with the right tools. This type of cyber-attack is common enough to merit its own name: a “man-in-the-middle” attack.

So, how can you stay safe when sending sensitive data?

Embrace encryption. Encrypting the data is like sending that sensitive information in a locked box. Encryption encodes the information to add a level of security. If encrypted data is intercepted, the scrambled data is unreadable by unauthorized users. Only a user with the correct decryption key can access the text.

Encryption also provides additional confirmation that the information is coming from a reliable source.

Your business should also require Secure File Transfer Protocol (SFTP) for sending and receiving large or numerous digital files. You may have heard of FTP, but this file transfer protocol is not encrypted. SFTP is the secure version of FTP, as it encrypts the files in transit. If a nefarious entity does intercept the files, it won’t be able to read them without the decryption key.

Specifically, encourage your employees to:

  • use encrypted email only (common providers such as Gmail and Outlook support it; others require third-party apps or services);
  • encrypt files before sending to the cloud (in case accounts are breached or services hacked);
  • never open business communications on unsecured Wi-Fi networks;
  • keep good track of laptops and other portable devices and use drive encryption in case – with encryption, a lost laptop or stolen thumb drive is more secure, and criminals will have a difficult time stealing sensitive information, too;
  • control data access – grant permission to view, edit, or send files with sensitive information only to users who need that data for their jobs.

Managed service providers help your business decrypt how to send its sensitive information. Turn to experts in cloud services and IT security to learn how to securely send and receive data.

Contact us today at 319-227-7000!

2019-07-02T12:00:24-05:00July 16th, 2019|Security|0 Comments

Do Macs Get Viruses?

Do Macs Get Viruses?Do Macs Get Viruses

Many Apple owners believe their Macintosh computers are immune to viruses. Apple itself has run ad campaigns promising its computers “don’t get viruses”. And those who have owned a Mac for years, decades even, are particularly prone to believing. After all, nothing’s happened to them yet. Regrettably, Macs do get viruses, and the threat is growing.

For a long time the argument was that cyber-criminals didn’t bother to develop Mac viruses. There weren’t enough users to justify the effort. Instead, they’d focus on the lower hanging fruit – PCs running Windows.

Yet Apple’s market share is on the rise, and it’s increasingly common to see Macs in the workplace, especially in creative industries. Plus, there’s a widespread assumption that Mac users are a smart target as they are likely to be better off. So, while Macs remain harder to infect (installing most software requires a password), there’s often a greater payoff.

The research reflects the reality. In 2017, for instance, the iPhone OS and Mac OS X placed #3 and #6 in CVE Details’ top 50 ranked by total number of distinct vulnerabilities. Apple TV and Safari also made the list at #17 and #18, respectively. In 2017, Malwarebytes also reported it “saw more Mac malware in 2017 than in any previous year”. By the end of 2017, the cyber-security firm had counted 270% more unique threats on the Mac platform than in 2016.

Finding Apple’s Weak Spots

It’s obvious then that bad actors are no longer steering clear. They are actively looking for ways to exploit Macs.

A common approach is to use Trojans. Named after a gift wooden horse that hid an army, Trojans look like something you would want to install. So, Mac users happily enter their passwords to download that application and open the gates to the cyber-criminal.

In 2011, for instance, a Trojan called “Mac Defender” took advantage of people’s desire to protect their computers. The fake program appeared to be anti-virus software. Once the users installed it, they’d get an onslaught of pop-up ads encouraging them to buy more fake software.

Trojans get through the gates because you let your guard down. You are taken in by that supposed note from a long-lost friend. You think you want to see that pic of that famous celebrity. All it takes to stop this type of attack is suspicion of everything you might install or download.

A business would want to educate its employees about the importance of:

  • clicking on emails with care;
  • validating the source of any files they plan to open;
  • checking a website’s URL (being especially wary of those with less common endings such as .cc or .co);
  • questioning any promises of Ray-Ban sunglasses for 90% off or the latest iPhone for $29.99.

A new threat comes from within the Mac App Store, according to Thomas Reed, a Mac security researcher. When a user tries to install an app on a Mac, a Mac OS program called Gatekeeper checks the file’s code signature. The signature helps certify the app is valid. However, Reed found that cyber-criminals could buy a legitimate certificate from Apple, or steal one and trick users. Users would install masked malware that could infect legitimate programs and evade detection.

Key Takeaway

Apple is always working to protect its users from malware. It has measures in place, and user caution can make a big difference, too. Still, it’s not true that Macs are completely safe.

Find out what you can do to protect your Macs and guard against threats. Partner with a managed services provider to gauge your security levels.

Call us today at 319-227-7000!

2019-07-02T11:24:49-05:00July 2nd, 2019|Security|0 Comments

3 Steps to Securing Cloud Data

3 Steps to Securing Cloud Datasecuring cloud data

Businesses are no longer confusing “the cloud” with those puffy white things in the sky. For many, the cloud is a backbone business tool. Yet, some worry about storing their data on the Internet using cloud technologies. Consider these 3 Steps to Securing Cloud Data.

#1 Encrypt Business Data

The cloud is a lucrative potential target for cyber-criminals. Many enterprises have turned to this technology. In North America nearly 60% of enterprises now rely on public cloud platforms. That’s a five-fold increase over five years, according to Forresters’ Cloud Computing 2019 Predictions.

Some cloud service providers will promise to encrypt your data in transmission. Take this precaution further by encrypting data before it’s sent to the cloud. Encrypting data turns it into another form of code. Only the person with the correct password can decrypt it. If you use a modern encryption standard, it will be extremely challenging for a hacker to break the code.

Plus, encrypting on your end first ensures the cloud storage provider only stores encrypted data. So, if their storage gets hacked, or one of their employees goes rogue, they aren’t able to read your business data. That is unless they have the decryption password. Make sure the password is strong. Don’t be one of those people still using “password” or “123456789”!

#2 Have a Backup

Many businesses store data on the cloud as a precaution to have redundancy. Yet, it’s a good idea to have another backup copy locally too. Just in case.

In some cases, businesses have migrated almost entirely to the cloud. All their software and files live on the cloud and they have no other copy. Don’t let this happen to you. We recommend the 3-2-1 backup strategy. This means, even for cloud-reliant businesses, having 3 copies of your data. One would be on the cloud. The other two (2) would be on different devices (e.g. on your local computer and on a backup drive).

#3 Know your Responsibilities

The cloud is a shared technology model. Partner with a cloud service provider with stringent security. At the same time, don’t count on the cloud provider to do everything. Clearly identify security roles and responsibilities. The Cloud Security Alliance reminds us that this can depend on the cloud model you’re using:

  • Software as a Service – The provider is largely responsible for security. After all, the user can only access the applications.
  • Platform as a Service – The cloud partner secures the platform. Your business must configure its own security for anything implemented on the platform. This includes securing the database, managing account access, and authentication methods.
  • Infrastructure as a Service- You’re responsible for everything built on the provider’s infrastructure. They will likely monitor their perimeter for attacks, but the rest is your job.

Cloud technology offers several advantages:

  • Enables IT to scale without investing in equipment, software, employee training, or taking up valuable office footprint
  • Offers peace of mind that data will always be available regardless of conditions at a particular business location
  • Provides up-to-date technology users can access from any device, anywhere, anytime – as long as they have an Internet connection

The cloud revolution has come. When you join the ranks of those migrating data to the cloud, do so with these safety suggestions in mind.

Need help securing your data? Whether you’re backing up locally or on the cloud, give us a call at 319-227-7000.

2019-04-26T17:49:28-05:00May 7th, 2019|Cloud Services, Security|0 Comments

Protecting Your Customers and Your Business Too

Protecting Your Customers and Your Business TooProtecting Your Customers

Security and privacy are at the very top of our priorities when considering business IT. Major data leaks are in mainstream news on a near-daily basis and hundreds of thousands, if not millions, of customers are impacted every time they happen. Our number one goal is to make sure our businesses are kept out of danger.

Major institutions, such as multi-national banks and credit card companies, are expected to handle your data well. Unfortunately, less secured businesses require access to our data too.

Even just booking into a hotel often requires you to leave your name, address, date of birth, passport number, and credit card details. These few pieces of information are more than enough to steal your identity, start a line of credit, and access many of your vital services. You can often only hope your chosen hotel handles your information as well as your bank does.

Securing Your Business with Smarter Thinking

There is no way to change how your favorite hotel service operates, but you can affect your own business to improve its security for your customers.

You don’t need the manpower or funding of a major banking chain to handle data securely. With simple tweaks and powerful changes, you can minimize the chances of your business suffering a data breach big enough to close your doors for good.

By stepping up IT security to meet modern threats, you can help to limit your liability, put customer’s minds at ease and give your firm a competitive advantage. Should hackers attack, the work you do today will limit the damage and help you to weather the storm.

Limit Your Data Collection

The single most important thing to consider when securing your business is how much data do you really need to hold anyway? Carefully consider the value of every piece of personal information you collect in any given transaction. Do you have a use for everything you ask for?

Emails, addresses, and contact numbers are useful for receipts and marketing, but additional data many firms collect is often useless and wasteful. Each piece of unnecessary data you hold represents additional value to hackers and thieves. While you may be unable to use your own stored data, hackers will find great value in gathering more personal information. This increases your liability without adding any extra value.

Consider Your Access Requirements

Think carefully about who has access to information within your business and precisely why they need to access it. Often security problems begin when employees have blanket privileges to access everything within the firm.

Access restrictions should be specific to the company structure. Low-level employees should be limited to only what is strictly required for their role. Managers, for example, are likely to need systems that their junior staff cannot access.

Physical access restrictions are critical too. Unattended computers and mobile devices should require a password or identity verification to log on.

Treating Data with Care

The way you treat your data in day-to-day business reflects the impact hackers or IT disaster will have on your business when it is lost. Do you know where your backups are, and when they were last tested? Firms often first know they are in trouble when they realize all their data is stored on a business laptop or device that could be easily lost or stolen. Some firms shuttle a portable hard drive between home and work.

This solution should have no place in a professional business environment. Proper data care means regular, tested backups that are secure against fire, theft, or online hacks. Protecting your customers and your business is all about the smart application of IT knowledge in a cost-effective and efficient way.

We can help you to lock down your business to protect the most valuable assets your business owns, data. Call us at 319-227-7000

2019-03-25T10:44:14-05:00April 2nd, 2019|Backup, Security|0 Comments

Is Your Physical Security as Good As Your Cyber Security?

Is Your Physical Security as Good As Your Cyber Security?Physical Security

Headlines are often made by firms that have been hacked by “elite” cyber-criminals. These events sound high tech, sophisticated, and interesting. The truth is almost always an amateur attacker chancing their luck with an unpatched security hole or bad password. Physical break-ins affect businesses far more commonly and cause much more damage, but get talked about far less.

Similar to technology hacks, most physical security threats come from criminals that chance their luck on businesses that look poorly secured. On a rare occasion, they may strike a business owner that has forgot to lock up or failed to set the security alarm.

By breaking in, these criminals exploit poor physical security to cause damage and steal valuables. Typically, by destroying or taking critical assets, a criminal may make a few hundred in profit while the total damage done to the business is counted in the tens of thousands.

While most IT security packages act automatically and always remain on, physical security needs to be made a daily habit and require periodic updates.

Threats Starting from Within

Every business should have secure locks protecting their doors. Many use an alarm system to add protection to valuable assets. However, there are common threats that neither of these can protect you from. How would your business be protected if the attack came from within your firm?

A disgruntled employee, or even a former employee, can do an enormous amount of damage to a business. Attacking their own business, an employee can likely do more damage during the day than a criminal could breaking-in overnight. Misplaced trust in the wrong individual can result in devastating consequences.

Employees typically have access to one of your business’s most valuable assets: data. A criminal may steal computer hardware to sell for quick cash because most don’t fully understand the value of the data stored on it.

The value of the data in a business machine can easily exceed the cost of the hardware one hundred times over.

Physical Security Heists

For criminals who do understand the value of data; physical security can be the weakest spot in a business’s armor. In 2013, media streaming service Vudu suffered a break in where criminals stole server hardware to obtain credit card information stored within.

A technology savvy streaming firm is highly likely to have up-to-date IT with excellent security measures. Thieves looking for easy cash recognized that the best way to get to the data was through their comparatively weak physical security.

The best security packages in the world are completely ineffective if the keys are left in the door and physical hardware is easy to remove. This challenge of securing your data can be made even more difficult when using a location that must remain open to the public.

Securing Your Data with Good Security Practices

Keeping your customer data safe is one of the most significant responsibilities small business owners take on. It requires a duty to employ the best possible security practices to keep your customers safe. For a customer to have the trust to use your business over the competition, they have to see their concerns put to rest.

Locking down data access for employees so they can only view and edit what is strictly needed, protects both customers and the business against many kinds of damage; both accidental and malicious. Limiting device access, such as disabling USB ports to thumb drives or storage devices, helps to prevent data being copied and carried offsite.

Physically locking down a server in the location it sits is one of the best deterrents available to prevent against theft. Locked server racks are an excellent piece of physical security that works on top of the building security already in place.

Make sure your business is up to the task of securing its data. Give us a call at 319-227-7000 to audit both your digital and physical security.

2019-01-31T10:30:01-05:00February 26th, 2019|Security|0 Comments

Don’t Get Hooked by Spear Phishing Attacks

Don’t Get Hooked by Spear Phishing AttacksPhishing

Phishing attacks have been around for a long time. Designed to steal your credentials or trick you into installing malicious software, they have persisted in the IT world precisely because they have been so devastatingly simple and effective. Today, a more modern and more effective version of the same attack is commonly used.

A typical phishing attack involves an attacker sending out a malicious email to hundreds of thousands, if not millions of users. The attacker’s email is designed to look like it comes from a bank, financial service, or even the tax office. Often aiming to trick you into logging in to a fake online service, a phishing attack captures the login details you enter so an attacker may use them to enter the genuine service later.

By sending out tens of thousands of emails at a time, attackers can guarantee that even if only one half of one percent of people fall for it, there is a lot of profit to be made by draining accounts. Spear phishing is a more modern, more sophisticated, and far more dangerous form of the attack. It’s typically targeted at businesses and their staff.

A Convincing, Dangerous Attack

While a traditional phishing attack throws out a broad net in the hope of capturing as many credentials as possible, spear phishing is targeted and precise. The attack is aimed towards convincing a single business, department, or individual that a fraudulent email or website is genuine.

The attacker focuses on building a relationship and establishing trust with the target. By building trust and convincing the target that they are who they are pretending to be, the user is more likely to open attachments, follow links, or provide sensitive details.

Consider how many times you have followed a link or opened an attachment just because it has come from a contact you have trusted before.

A Trusted E-mail

The malicious email can appear to come from a vendor you deal with regularly. It may even look like an invoice you are expecting to receive. Often attackers can simply substitute the vendors’ banking details for their own, hoping the target will not notice the difference.

Such an attack is very difficult to detect. It takes a keen eye, strong working knowledge, and constant awareness to keep your company protected. Even a single small mistake by an unaware member of staff can compromise your business accounts.

Defending Your Business

The key to stopping a spear phishing attack is education. Learning attack techniques, and how to protect against them is the single biggest thing you can do to enhance business security.

Whenever you deal with a vendor in a business transaction, you should always consider important questions before proceeding. Are you expecting this email? Is the vendor attempting to rush you into a quick decision or transaction? Have you checked all the details are correct and as you expected? Sometimes a simple query to the vendor can protect you against worst-case scenarios.

In many cases, a phishing attack can be halted in its tracks with a strong IT security package. Web filtering prevents most malicious emails and links from entering the network, shutting attacks down before any damage can be done.

Good Security Practice

As with many types of IT threats, good security practices help mitigate damage. Locking down security to ensure employees only access the systems they need helps to prevent damage spreading across the network.

Enforcing unique and strong passwords prevents leaked credentials from affecting systems related to the one that has been compromised. Getting employees set up with a password manager and good security policies can do the world of good to boost your security to the level it needs to be.

Give us a call at 319-227-7000 to audit your security practices. It could be the difference that secures your firm against sophisticated spear phishing attacks.

2019-01-30T22:13:00-05:00February 5th, 2019|Security|0 Comments

Marriott Hotel Breach Exposed 500 Million Customer Records. Make Sure Your Business Doesn’t Suffer the Same Fate.

Marriott Hotel Breach Exposed 500 Million Customer Records. Make Sure Your Business Doesn’t Suffer the Same Fate.Marriott Hotel Breach

Up to 500 million travelers could be compromised as hotel chain Marriott International have announced a security breach in their guest database. Analysts recently alerted the firm to a vulnerability that has granted hackers access to the hotel chain’s systems since 2014.

The firm announced their Starwood Preferred Guest (SPG) loyalty program was compromised for an extended period which left customers vulnerable. The exploit exposed critical guest information which included names, addresses, passport numbers, and dates of birth. Marriott also announced an unknown number of customers had encrypted credit card details stolen in the attack.

If you have been a member of Marriott’s Preferred Guest Program or a customer of Marriott hotels in the past, you should take steps today to ensure your data security. By doing so, you can protect your finances, prevent identity theft, and defend your data from attackers looking to exploit an opportunity.

Secure Your Data

Changing your Marriott password should, of course, be the first step to protecting your accounts. Even more importantly, sites where that same password may have been reused should be updated with new credentials too. Hackers commonly try details stolen from one site to access popular services and pages. We encourage everyone to use a password manager to store their details for safe use in the future. A good password manager enables unique, random, and strong passwords to be used with ease for every single website.

While we can’t stop hacks on systems outside of our control; we can defend our other accounts from being accessed by criminals.

With secure password management, attacks on your business services or related accounts from a single hack are made impossible.

Performing Damage Control

The damage to the Marriott International brand following news of the leak will be undoubtedly huge. At a minimum, they have lost the trust of their customers worldwide. Asking customers to leave their personal and financial details again to pay for goods and services will be no small feat.

News of the hack made front page news as it broke, further damaging the firm’s reputation among potential future customers too. As a result of a simple security attack, Marriott International will be forced into damage limitation to keep customers returning to the brand. This is why business security matters to us; when done right it’s cheaper by far.

The total cost of this latest attack won’t be known for years to come. The firm is vulnerable to lawsuits worldwide, in some cases liable for financial losses, and required to purchase identity monitoring and security services for affected customers. Business owners can learn from Marriott’s costly lesson.

Stopping an Attack in its Tracks

Marriott’s security breach was recently discovered, hitting the headlines just this week, but the firm admitted unauthorized access took place since 2014. This means the firm had a security hole for four years that they were unable to detect or patch.

For a firm of any size, this should be unacceptable. As business owners, we shouldn’t accept security vulnerabilities that leave our records, finances, or services open to hackers. As customers, we shouldn’t accept our data being treated so carelessly. The recent Marriott hack underlines the need for businesses to maintain constant network monitoring, regular security updates, and a lock-down on data access.

Protect Your Business and your Customers – Any business can find their systems vulnerable to attack at some point. Whether waiting for updates, a newly released zero-day hack, or malicious employee; responsible firms take steps to limit their liability.

As a rule, staff accounts should be locked to only the systems the regularly need to access. Similarly, customer data should only be open on an as-needed basis when a legitimate requirement exists. These steps, alongside systems and data monitoring, prevent a small-scale attack resulting in an enormous data breach. Strong security enables customers to place and maintain their trust in a brand they can keep coming back to again and again.

If your business could use a security update to protect against a Marriott style attack in the future, give us a call today at (319) 227-7000 or fill out our contact form.

2018-12-04T19:38:12-05:00December 4th, 2018|Security|0 Comments