Threats are Changing – Are You Prepared to Change with Them?

Security is a part of business that is constantly changing and evolving. What worked ten years, five years, or even two years ago may not be relevant in today’s security environment. What are some of the major changes that your company can expect to see in the coming years? We’ll walk you through some of the ways that security will be changing in the foreseeable future, and what you can do about it.

The information here is gathered from a study performed by Cisco, which analyzed the findings of 3,600 data security professionals from organizations like Talos and other partners from all around the world.

Malware Grows More Autonomous
Early types of malware depended on the user clicking on a link to install it on the computer or workstation. Nowadays, malware is depending less and less on the user making a mistake and is instead becoming more network-based. A good example of this is ransomware, which could install on a single device and spread to the entire network. Cisco even imagines that this type of ransomware could take over the entire Internet.

Ransomware is About More than Just Money
The ransom involved with ransomware was the major reason why a lot of hackers would use it as their attack vector of choice, as it virtually guaranteed that they could make a profit off of an attack. People are too scared to lose their data, even on an individual level. Businesses would basically be forced to pay up or risk losing everything. However, the growing trend is that hackers aren’t as interested in money anymore–instead, they are interested only in the complete leverage they gain by stealing this data and holding it hostage.

Threats are Getting Better at Avoiding Detection
Ransomware has started to hide in encrypted traffic to avoid detection, which can make it much more difficult to identify and eliminate. Furthermore, through the use of cloud-based applications and services, any attacker can implement a command and control attack and hide it within normal traffic to obscure it.

Internet of Things Devices are a Problem
Devices that connect to the Internet have become a major problem for many businesses, especially considering how fast they have been implemented. IoT devices are often patched poorly, and they can create backdoors that allow for unauthorized access to your infrastructure. Furthermore, IoT endpoints are simply not secured properly, which makes them even more dangerous for your company network.

While security is a topic that is constantly changing, Net Activity can help your organization adapt and change to the times. To learn more, call us today at 216-503-5150.

Facebook Users Should Assume Their Data Has Been Scraped

First it was 55 million.  Then 77 million.  Now, it’s 2.2 billion, or pretty much every user on Facebook.  That’s how many people should assume that their public profile information has been scraped.

The conversation began when it came to light that Cambridge Analytica (a political research firm) had misused Facebook’s search function to scrap profile data for tens of millions of Facebook’s users to help the Trump campaign win the recent presidential election.

As research into the matter has continued. However, it has become clear that Cambridge Analytica wasn’t the only group misusing the search feature, and that before Facebook disabled it, more than two billion of Facebook’s users had seen their public profile information scraped.

Essentially, Facebook was used to paint a more complete picture of users to build a profile which could be sold on the Dark Web.

Starting with stolen phone numbers or addresses, hackers developed automated routines that fed this information into Facebook’s search function, enabling them to link these bits of information with the names and locations of specific people.  Having a more complete profile in hand made the data that much more valuable on the Dark Web, where it is currently being resold.

At 2.2 billion impacted users, it’s certain that this will be the year’s largest data breach. In fact, this one is likely to hold the world record for quite some time.

Facebook’s CEO, Mark Zuckerberg issued an apology to the company’s massive user base.

Mike Schroepfer, the company’s Chief Technology Officer, had this to say:

“Until today, people could enter another person’s phone number or email address into Facebook search to help find them.  This has been especially useful for finding your friends in languages which take more effort to type out a full name, or where many people have the same name.  However, malicious actors have also abused these features to scrape public profile information by submitting phone numbers or email addresses they already have through search and account recovery…we believe most people on Facebook could have had their public profile scraped in this way.

4 Backup Strategies That Really Protect Your Data

How does your business leverage data backup? Depending on the way your business functions and your specific needs, your data backup solution will vary from other organizations in your industry. Yet, one thing is absolutely certain, and it’s that your organization can’t afford to not implement some type of data backup system. In the event of a data loss scenario, you don’t want to be left wondering if you could have prevented it with a little proactive action.

Here are four topics that you will want to consider when designing and implementing a data backup system.

1. Know What Data You’re Backing Up
   The biggest question that you will have to ask yourself is how much of your data you’re going to back up. Of course, the answer should always be “as much as possible.” Having said that, any legal obligations you have for specific compliance regulations must be prioritized, as left unchecked they could cost your business even more in lost revenue as you may be subject to fines and other expenses.
2. Ensure Adequate Security Practices
   One of the most dangerous backup security practices is to keep them stored on an in-house infrastructure that’s vulnerable to being compromised by external threats. If a hacker can infiltrate your network, it’s likely that they can also infiltrate any unprotected data backups that you have in place. While it’s helpful to have an on-site backup that can be used in the heat of the moment, it’s more effective to keep your backups stored in an off-site data center that is encrypted and protected properly.
3. Know Where Backups Are Stored
   One of the most critical parts of data backup is where you’re storing your backups. While it’s convenient to store them on-site, you risk damages to them. We recommend that you follow the 1-2-3 data backup rule. You keep three copies of your data in total–one on-site for easy access, and two off-site, either in a secure off-site data center or in the cloud. Remember, the best failsafe for your business’ data infrastructure is to have copies of it somewhere where they can reliably be restored.
4. Test the Reliability of Your Systems
   Speaking of reliability, your backup systems are useless if they don’t work as intended. The last thing you want is to experience a data loss incident and then fail to restore your data when it’s needed most. You should frequently test your business’ backups so that you can be confident that they work as intended. Otherwise, you’re simply flirting with disaster, at the mercy of what boils down to luck and hope.

Net Activity, Inc. can equip you with a BDR solution that is designed to take frequent backups and store them in safe and secure off-site environment for rapid recovery in a moment’s notice. To find out how you can take advantage of this great solution, give us a call at 216-503-5150.

Keeping Your Business Safe: Building a Disaster Preparedness & Recovery Plan for Your Small Business

Did you know that almost 40% of small businesses do not re-open after a major natural disaster?

If you don’t want to fall victim to this statistic, you need a solid plan in place before disaster strikes.

Disasters and emergencies, whether natural or man-made, large or small, can have a dramatic impact on your company’s ability to keep your doors open and stay profitable.

So if you don’t already have one, then the time is now to create your disaster preparedness plan. Let’s take a look at the steps you should take right now to evaluate potential threats to your business and keep your company safe in an emergency.

First, Assess and Prioritize Potential Threats to Your Business

To go about creating a disaster preparedness plan for your business, you first have to understand the problem. Start by thinking about those obvious situations that could pose a risk, such as a fire, flood, or other major weather event.

But what about the less obvious disasters?

Do you have protections in place against cyber threats? Do you know what to do in case of an active shooter or other criminal situation? Are there threats of bodily injury or contamination posed as supplies or equipment at your workplace?

The wide range of potential disasters facing your business can be enough to leave you paralyzed. In reality, though, different scenarios pose a different level of risk to your individual business depending on your location, industry, and other factors.

If you’re not sure where to start assessing potential risks, take a look at the U.S. Small Business Administration’s risk assessment checklist. It will help you evaluate each potential risk factor by probability and impact in order to better prioritize your disaster recovery planning.

First thing to remember: prioritize human survival above all else.

In those critical first minutes when a natural or man-made disaster occurs, your immediate priority is always the protection of human life. So, the initial piece of your disaster preparedness plan should focus on creating and communicating procedures that will keep the people who make up your small business safe in an emergency situation.

Make sure to prepare for medical emergency situations. Workplace medical emergencies vary greatly depending on the disaster, type of job and the worksite. However, there are steps that can give you the upper hand in responding to a medical emergency. Encourage employees to take basic First Aid and CPR training. If it is feasible, offer on-site classes for your co-workers. You should also keep First Aid supplies in stock and easily accessible. Finally, encourage employees to talk about medical conditions that may require support or special care in an emergency.

Next identify your company’s specific emergency response requirements and objectives.

The exact needs of your emergency response plan depend upon your industry, size, location, and the highest priority risks you’ve identified for your business.

As you develop your business’s response plan, consider the requirements that may be put in place through these three key factors:

1. Regulatory Requirements. Some aspects of your small business emergency action plan are dictated by local, state, or federal law. The U.S. Occupational Health and Safety Administration (OSHA), in particular, details required emergency response guidelines for any business with more than 10 employees. Fortunately, OSHA offers extensive online tools that can help you follow their standardized guidelines, including fire safety requirements, evacuation plan regulations, and expectations for emergency preparedness kits for your facility.

1. Public Emergency Services. Local public services such as your city fire department and police force are committed to helping businesses craft a disaster preparedness plan. As you develop your business’ emergency response plan, consider reaching out to these entities to provide guidance, review the plans you put in place, and share contact information and communications procedures for outside community resources.

1. Business-Specific Emergency Preparedness Needs. Although the guidance of regulatory bodies or emergency service personnel will go a long way toward helping you develop your emergency response plan, certain preparedness needs will be unique to your individual business and facility. To develop a plan that is actionable for your specific business and location, combine the guidelines of outside experts with what you know about your facility, your team, and how your business runs from day to day. Consider, for example, the layout of your facility, the work schedules of various personnel, and in particular the best course of action for any individuals with special needs.

To be most effective, your written emergency response plan should be clear, actionable, and well-organized, providing as much detail as possible while also allowing personnel to quickly access the information they need in any given scenario. Make sure to assign Team Roles as needed (i.e. Disaster Management, Network, Server and Applications) and provide clear delineation of roles and responsibilities of all teams.

We’ve got a great template to get you started crafting your plan:

Now it’s time to Run Company-Wide Emergency Response Simulations

Once you’ve completed a basic walk-through and implemented the feedback you receive, you’re ready for a more hands-on approach to testing your disaster preparedness plan. Depending on the size of your business, it’s wise to conduct live action drills at least once a year for each of the highest risk emergency scenarios you may face.

Then… make sure you finally…

Test Your Disaster Recovery Process & Plan

This is where you plan and walk through the policies and procedures you will be following when your IT services have been disrupted for any of the emergency scenarios we have discussed here.

Now we want to bring the focus of the plan to restoring all affected business processes as quickly as possible, either by bringing disrupted services back online or by switching to a contingency system.

This portion of your DR plan should take into account the following:

• IT services: Which business processes are supported by which systems? What are the risks?
• People: Who are the stakeholders, on both the business and IT side, in a given DR process?
• Suppliers: Which external suppliers would you need to contact in the event of an IT outage? Your data recovery provider, for example.
• Locations: Where will you work if your normal premises are rendered inaccessible?
• Testing: How will you test the DR plan?
• Training: What training and documentation will be provided to end users?

At the center of your DR plan are two all-important KPIs, which are typically applied individually to different IT services: recovery point objective (RPO) and recovery time objective (RTO). Don’t be confused by the jargon, because they’re very simple:

• RPO: The maximum age of a backup before it ceases to be useful. If you can afford to lose a day’s worth of data in a given system, you set an RPO of 24 hours.
• RTO: The maximum amount of time that should be allowed to elapse before the backup is implemented and normal services are resumed.

You can calculate these numbers with our Data Loss worksheet here.

While this testing process may not re-occur as frequently as an evacuation or shelter-in-place drill, be sure that you do re-evaluate the protocols any time there’s a major change in your personnel or your business processes.

Obviously, frequent disaster recovery planning and testing of this magnitude can become a burden on any small business.  As a rule of thumb, recovery plan experts recommend focusing on process failures instead of on specific events when building out your plan.

For most business owners, the ultimate question is not if, but when you’ll be faced with a major emergency or business disruption. That’s why, although disaster preparedness planning is hardly any entrepreneur’s favorite topic, it is of critical importance for any small business that wants to succeed in the long term.

By following these steps to create a thorough disaster preparedness plan for your business, you are making the ultimate investment to make sure that the business you’ve worked so hard to build can continue to thrive for years to come. 

Contact Net Activity and we can help you get the right plan in place today.

Is Your Cloud Solution Going Over Budget?

The cloud is the perfect solution for small- and medium-sized businesses like yours. For a small monthly fee, you get access to cutting-edge technologies and 24/7 support from a team of cloud experts. But without proper management, cloud costs can quickly go over your budget. Here’s what you should do to keep it from becoming too expensive.

Don’t go for standalone services
Standalone services are the biggest price trap in the cloud. Spending on a standalone cloud software may seem harmless now, but if you decide to purchase similar services, the costs can quickly pile up. Then, there’s the issue of integrating these systems together, which costs even more time and money.

The best way around this is to find a service provider that offers a suite of products that work seamlessly together. Platforms like Office 365 or G Suite are great examples, and offer you differently priced packages based on the size and requirements of your business.

Team up with integration experts
If you do need to subscribe to a standalone service, you’ll want to integrate it with the rest of your cloud platform. But if you have limited experience with integrations, mistakes are likely to happen and cause downtime, which will inevitably cost you time and money.

The more economical option is to partner with a cloud integration expert, as they can quickly configure and deploy your systems with zero mistakes.

Understand cloud backup costs
While cloud backups are great for keeping your data secure, you must know how much you’re paying for them. If you plan on storing your data for a long time, you may be charged more. At the same time, if you store more versions of your data, it will cost you more.

One way you can keep costs down is to ask yourself whether certain files even need to be stored in the cloud. Mission-critical files like customer information, legal document, and business plans should be stored in the cloud so you can retrieve them right away after a disaster, but routine documents like timesheets can probably be stored in less expensive data centers.

Remove unnecessary accounts
Most cloud service providers charge you based on the number of users per month, so if you’re not diligent about removing accounts when employees have left your company, you could be throwing your money down the drain.

To avoid this, you need to have deprovisioning procedures in place for when an employee’s contract is terminated. Create a spreadsheet of each employee in your payroll and note down their cloud subscriptions. When an employee leaves your company, you must delete all their business accounts and give the relevant manager access to all their documents.

It’s also a good idea to schedule regular audits to make sure you’re not paying for people who’ve already left your company.

Work with a trustworthy provider
Last but not least, you’ll want to partner with a cloud services provider that not only gives you the best deals on cloud solutions, but also proactively monitors your account and warns you about any issues regarding the computing resources and storage space you’re using.

If you’re looking to keep cloud costs under control, talk to us today. We’re the experts at making the cloud work for each and every client, and we’d love to speak with you about how we can do the same for you!

What Private Browsing Can and Can’t Do

As you surf the web, it’s nearly impossible to keep your internet activity completely private. Certain websites collect personal information for marketing purposes and your browser keeps track of all the websites you visit. But that browsing information can also fall into the wrong hands, which is why you should consider using private browsing if you want to keep your online activities to yourself.

What is private browsing?
Your web browser — whether it be Chrome, Edge, Firefox, Safari, or Opera — remembers the URLs of the sites you visit, cookies that track your activity, passwords you’ve used, and temporary files you’ve downloaded.

This can be convenient if you frequently visit certain pages, can’t remember your login details, or if you’re trying to recall a website you visited a few days ago. But if someone else uses or gains access to your computer, your most private (and embarrassing) internet activities are exposed for anyone to see.

With private browsing — also called Incognito Mode in Chrome and InPrivate Browsing in Edge — all the information listed above does not get recorded. In fact, all the websites and information you accessed in the private browsing session is immediately discarded without a trace as soon as you close the browser. This can come in handy when you’re using a public computer because you’re instantly logged out of all the accounts after closing the window.

Your cookies also won’t be tracked. In a normal browsing session, sites like Facebook will inundate you with highly targeted ads based on the sites and pages you’ve visited. But in private browsing mode, your internet activity won’t be used against you by marketing companies.

Another benefit of private browsing is you can use it to log in to several accounts on the same site, which is useful if you need to log into two different Google accounts at the same time.

Limitations of private browsing
Although private browsing does prevent your web browser from storing your data, it doesn’t stop anyone from snooping on your current activities. If your computer is connected to the company network, system administrators can still keep track of what you’re browsing even if you’re in Incognito Mode.

Also, if spyware or keylogger malware is installed on your computer, hackers will still be able to see what you’re doing online. Even though private browsing has quite a few benefits, you shouldn’t solely depend on it for online privacy.

Your computers must be equipped with Virtual Private Networks that encrypt your internet connection and prevent anyone from intercepting your data. And don’t forget to scan your computer for viruses with a strong anti-malware program to keep spyware and other malicious web monitoring software at bay.

If you want to know where you can get these solutions or learn more about web browser security, contact us today. We have the tools and expert advice you need to prevent anyone from snooping on your internet browsing.

Look for the HTTPS: You Cannot Browse Safely Without It

How many times this month have you paid for something online using your credit card? Was each payment page secured by HTTPS? If you’re not 100% certain, you’re a prime target for identity theft. The padlock icon in your web browser’s address bar is immensely important and it requires your attention.

HTTPS Encryption

Older web protocols lack data encryption. When you visit a website that doesn’t use HTTPS, everything you type or click on that website is sent across the network in plain text. So, if your bank’s website doesn’t use the latest protocols, your login information can be intercepted by anyone with the right tools.

HTTPS Certificates

The second thing outdated web browsing lacks is publisher certificates. When you enter a web address into your browser, your computer uses an online directory to translate that text into numerical addresses (e.g., www.google.com = 8.8.8.8) then saves that information on your computer so it doesn’t need to check the online directory every time you visit a known website.

The problem is, if your computer is hacked it could be tricked into directing www.google.com to 8.8.8.255, even if that’s a malicious website. Oftentimes, this strategy is implemented to send users to sites that look exactly like what they expected but are actually false-front sites designed to trick you into providing your credentials.

HTTPS created a new ecosystem of certificates that are issued by the online directories mentioned earlier. These certificates make it impossible for you to be redirected to a false-front website.

What this means for daily browsing

Most people hop from site to site too quickly to check each one for padlocks and certificates. Unfortunately, HTTPS is way too important to ignore. Here are a few things to consider when browsing:

• If your browser marks a website as “unsafe” do not click “proceed anyway” unless you are absolutely certain nothing private will be transmitted.
• There are web browser extensions that create encrypted connections to unencrypted websites (HTTPS Everywhere is great for Chrome and Firefox).
• HTTPS certificates don’t mean anything if you don’t recognize the company’s name. For example, goog1e.com (with the ‘l’ replaced with a one) could have a certificate, but that doesn’t mean it’s a trustworthy site.

Avoiding sites that don’t use the HTTPS protocol is just one of many things you need to do to stay safe when browsing the internet. When you’re ready for IT support that handles the finer points of cybersecurity like safe web browsing, contact our office or give us a call at 216-503-5150.

How Criminals Are Stealing Your Office 365 Data-And What You Can Do About It

Microsoft works hard to update and secure its full-featured office productivity suite, Office 365. But because it is one of the most widely used office productivity suites in the world (more than 85 million active users worldwide and growing), it is also a target for hackers and thieves.

What can ransomware do to Office 365?

When we think of ransomware in Office 365, we usually think of a program that encrypts or restricts access to critical business systems until a ransom is paid. This is one type of ransomware, and it can cost businesses a lot of money. According to Datto’s 2017 Ransomware Report, 75% of respondents reported their clients suffered business-threatening downtime in the past year.

But ransomware can also be used to steal your data, including your critical data like customer information, research and development, financial data, and other protected information. For example, ransomware may be used to access your confidential trade secrets and threaten to expose them. It may be used to access customer financial information with a threat to sell it on the black market to the highest bidder.
Ransomware in Office 365 can interfere with your business operations or steal sensitive data from your company.

Can ransomware in Office 365 be prevented?

Unfortunately, ransomware is a rampant problem in the business IT environment. A recent survey of 1,100 IT service providers about ransomware and cybersecurity found that 94% reported ransomware infection despite having antivirus software in place. While antivirus and information security platforms can do a lot to help protect your systems from malware, they don’t have a great track record for preventing ransomware in Office 365.

How does ransomware get in?

The genius and the danger (depending on your point of view) of ransomware is that criminals do not need to find a way to penetrate Microsoft’s protection layers to carry out their extortion attack.
Instead, criminals often use social engineering schemes. For example, they can use a phishing scam. Verizon’s 2016 Data Breach Investigation Report revealed that phishing emails have an average open rate of 30%. Download our cheat sheet below to learn exactly what you need to look for (and avoid) in each and every email to protect your identity, money and data.

Your legitimate user (who unknowingly acts as a security vulnerability) gets a message from an address that appears to be legit and in the seemingly official correspondence, they include a Trojan that has a payload disguised as a legitimate file.

What can protect my business from ransomware?

The best protection against ransomware is frequent, reliable, secure data backups. When the data is backed up frequently, old (uninfected) data can be easily restored to replace data that’s blocked or infected with ransomware.
It’s important to note that ransomware, like many other forms of malware, can remain dormant in the system for a period of time before activating itself. Therefore, a backup system should retain several months’ worth of backups in order to provide good protection from ransomware.

Download our free guide to learn more about Office 365 security and Ransomware protection.

4 Emails You Should NEVER Open

Cybercrime is an ever-present threat to modern businesses.

Without up-to-date and varied IT security measures, successful hacks can compromise your customers’ and employees’ sensitive data and harm your systems, resulting in costly downtime, and worse.

Email is the primary tool that companies like yours use for daily communications in the modern business world. It’s simple, it’s easy, and it’s effective, but it’s also the main source of malware and spam that could threaten your business. If you’re not careful, your email could be the key for cybercriminals that are trying to exploit you:

• Viruses and malware disguised as regular attachments from familiar sources.
• Phishing schemes from cybercriminals posing as familiar companies and contacts in an attempt to convince employees to give up sensitive information.
• Spam and junk email clogging up your inbox and blocking real, important emails from your clients and partners.

So what can you do? One of the surest ways to protect your business from a range of threats is to learn about them!

No matter how “bomb-proof” we make your network, you and your employees can still invite a hacker in if you click on a link or open an attachment in an e-mail sent by a cybercriminal. Some spam is obvious, but others are VERY cleverly designed to sneak past all the filters and trick the recipient into opening the door. Known as a “phishing” e-mail, this still is the #1 way hackers circumvent firewalls, filters and antivirus, so it’s critical that you and your employees know how to spot a threatening e-mail. Here are four types of e-mail ploys you should be on high alert for.

The Authority E-mail. The most common phishing e-mails are ones impersonating your bank, the IRS or some authority figure. The rule of thumb is this: ANY e-mail that comes in where 1) you don’t PERSONALLY know the sender, including e-mails from the IRS, Microsoft or your “bank,” and 2) asks you to “verify” your account should be deleted. Remember, ANY important notification will be sent via old-fashioned snail mail. If it’s important, they can call you.

The “Account Verification” E-mail. Any e-mail that asks you to verify your password, bank information or login credentials, OR to update your account information, should be ignored. No legitimate vendor sends e-mails asking for this; they will simply ask you upon logging in to update or verify your information if that’s necessary.

 The Typo E-mail. Another big warning sign is typos. E-mails coming from overseas (which is where most of these attacks come from) are written by people who do not speak or write English well. Therefore, if there are obvious typos or grammar mistakes, delete it.

The Zip File, PDF Or Invoice Attachment. Unless you specifically KNOW the sender of an e-mail, never, ever open an attachment. That includes PDFs, zip files, music and video files and anything referencing an unpaid invoice or accounting file (many hackers use this to get people in accounting departments to open e-mails). Of course, ANY file can carry a virus, so better to delete it than be sorry.

The good news is that there are many steps a small business owner like yourself can take to secure their business’ IT. Some of the most effective ways to combat security breaches are simple tasks that you can perform without having to hire a security expert.

Keep the following in mind:

• Keep Link Clicking to a Minimum: Clicking on links that appear in random emails just isn’t safe. Hyperlinks are commonly used to lead unsuspecting employees to phishing and malware websites. Be sure to only click links when they’re from a confirmed, expected source, and when they aren’t part of a sales pitch, or an attempt to get information from you.
• Manage A Safe Sender’s List: No matter how new, or costly, or flashy your current spam filter is, it won’t keep unwanted spam out of your inbox forever. Whenever you see that a spammer’s email has made it past your filter, take a moment to block it so that it won’t happen again.
• Do Not Open Unsolicited Email Attachments: This is a crucial email security practice. Suspicious email attachments from unknown or untrustworthy senders are the most common source of malware, ransomware, and other digital threats. Even if it’s from a friend or colleague, consider the message they send along with it; is it worded properly? Does it sound like it’s from them? It’s always a smart move to call the sender or speak in person if possible to confirm that they sent the email. Otherwise, simply delete it until you can be sure of its authenticity.
• Diligently Scan for Viruses and Malware: Another way to double check a suspicious email is to run a malware and virus scan on it. Even though you may have to do so more often than is convenient, it’s always better to be safe than sorry.

To learn more about email fraud, and how to identify an incoming scam, download our Email Scam Cheat Sheet. It can help keep your business safe.