More and more businesses are switching to the Cloud to store their data and rightly so. The Cloud offers numerous benefits over the traditional, physical on site server. For example,
Anytime, anywhere access to your data: Information in the Cloud can be accessed from anywhere using an internet connection, unlike in the case of traditional servers, where you need a physical connection to the servers
Significant cost savings: You cut hardware costs, because the Cloud follows a ‘pay-as-you-use’ approach to data storage
SaaS compatibility and support: The Cloud allows the use of Software-as-a-Service since the software can be hosted in the Cloud
Scalability: The Cloud lets you scale up and down as your business needs change
24/7 monitoring, support, and greater access reliability: When your data is in the Cloud, the Cloud service provider is responsible for keeping it safe and ensuring it is securely accessible at all times. They monitor the Cloud’s performance and in the event of any performance issues, they provide immediate tech support to resolve the problem
Your big Cloud move: What to consider
If you are considering moving to the Cloud, you will find it helpful to sign-up with an MSP who is well-versed with the Cloud. They can advise you on the benefits and risks of the Cloud and also offer the Cloud solution that’s right for you. In any case, before you migrate to the Cloud, make sure you are dealing with a reputed Cloud service provider who has strong data security measures in place. You can even explicitly ask them what security mechanisms they have invested in to manage data access and security.
Yes, moving to the Cloud has it benefits, but it also has its challenges including security risks. Learn more in our next blog, “Is the Cloud really risk-free?”
Cyber-attackers have a range of motives and methods to steal information and are continuously finding ways to disrupt businesses and clear bank accounts. With technology becoming increasingly prevalent in our day-to-day lives, cyber risks are increasing as well.
Data poisoning attacks, a lesser-known type of cyber attack, can cause great damage to an organization that often goes undetected for a long time. Some cases can cause even more damage than common threats such as viruses and ransomware. In a cyber poisoning attack, incorrect data quietly slithers into your system and changes its overall functioning, which can lead to a data breach and loss of user trust.
What are Cyber Poison Attacks?
Cyber poison attacks alter the area where the computer system makes smart decisions. The attacker creates a loophole in the core data rule and trains the system to adhere to that rule so it can be exploited. As a result, the system’s data model is skewed and the output is no longer as originally intended.
For example, the access control for a particular file is only accessible to those in an organization above the VP level. An attacker might change the main parameter to include the manager level. In this case, the core data set is violated and the system will not detect an intrusion by someone at the manager level, even if they log in with their credentials.
Types of Poison Attacks
There are 4 main categories of poison attack methodologies:
Logic corruption – The attacker changes the basic logic used to make the system arrive at the output. It essentially changes the way the system learns, applies new rules, and corrupts the system to do whatever the attacker wants.
Data manipulation – The attacker manipulates the data to extend data boundaries that result in backdoor entries that can be exploited later.
Data injection – The attacker inserts fake data into the actual data set to skew the data model and ultimately weaken the outcome. The weakened outcome then serves as an easy entryway for the attacker into the victim’s system.
DNS Cache Poisoning – The attacker corrupts the DNS data and causes the name server to return an incorrect result.
The Most Common Poisoning Attack: DNS Cache Poisoning
Domain Name System (DNS) is the “backbone” of the internet that associates a unique IP address with each domain name. A DNS cache poisoning, also called a DNS spoofing attack, can take traffic away from a legitimate server and send it over to a fake one.
The fake website that users are redirected to could be a phishing site where the attacker attempts to capture the unsuspecting victim’s personal data or secure information. The visitor might think they’re logging into their bank’s website online, but are actually on the attacker’s phishing site and exposing their personal login credentials.
How To Protect Your Organization Against DNS Cache Poisoning
A DNS poison attack is particularly dangerous because it can quickly spread from one DNS server to the next. Below are some ways to protect yourself and your customers from becoming victims of this type of attack.
Cybercriminals try to corrupt your DNS server using theirs. You can prevent this by bringing a trained professional onboard for your DNS server set-up. An expert will know to set up your DNS server such that it has a minimum relationship with other, external DNS servers, thus limiting your attacker’s ability to corrupt your DNS server using theirs.
As a best practice, ensure that your DNS servers only store data related to your domain and not any other information. It is harder to corrupt the system when it focuses on a single element.
Another best practice is to ensure that you are up-to-date on all DNS security mechanisms and are using the most recent version of the DNS.
Ensure your site has, an SSL certificate and make sure it is HTTPS. Using encryption, a site with HTTPS protocol allows for a more secure connection between its server and the internet and is better at keeping cybercriminals out.
Having an SSL certificate also ensures your site’s name shows up alongside the URL in the address bar. This is an easy way for visitors to identify if they are on a genuine site or not, thus helping them steer clear of phishing attacks and clone sites.
Your users expect their data to be protected when visiting your website. Without the proper security measures in place, your organization may suffer long term consequences from a data breach.
We often click links in emails, websites, and social media without a second thought. However, clicking a link can be a risk. Opening a malicious link without any network security protection can cause insurmountable damage to a business.
Network security is the practice of securing a computer network against the intrusion of unauthorized users. As attacks are continuing to target small businesses, network security protections are extremely important.
Criminals around the world keep coming up with new, sophisticated ways of stealing money and data. Their purpose is often to steal data or hold companies ransom. Businesses with inadequate IT systems are vulnerable targets.
Failure to implement proper network security measures can result in the release of sensitive customer information, such as credit cards and HIPAA protected information. This can also result in fines and legal consequences for the unsecured business.
What Does a Network Security Threat Look Like
It often starts with a dodgy link. Staff email accounts are the main entry point attackers target as they try to hack into IT systems. Without realizing it, an employee might receive a seemingly regular email. Just a simple link click on a suspicious link can let hackers into the business – it really can be as easy as that.
Other common threats include:
Design flaws in the network
Having faith in your team is not enough. Sophisticated criminals often do research to pretend to be people they’re not. They can persuade even your most tech-savvy staff to click links that can leave your whole business exposed to real danger.
Mobile phones are also in danger of being attacked, regardless of how safe their operating systems claim to be. Notably, Twitter was also recently hacked, with speculations that it was the result of hackers targeting workers who had administrative privileges.
There is good news though – you can manage the risk with the right security measures in place. Wahaya IT Consulting works with businesses to keep their technology safe. We can also help train staff on how to spot potential threats.
Facts About Data and Network Security
Data you hold about your customers and how you run your business is one of the most valuable assets your company owns. As people become aware of the value of their personal data, they expect businesses to take extra care looking after it. But what happens when data ends up in the wrong hands? Here are three scary facts about data breaches:
As a small business owner, you are particularly vulnerable to data theft as 43% of cyberattacks target small businesses. (Source: Verizon)
Data breaches exposed 4.1 billion records in the first six months of 2019. (Source: RiskBased Security)
The average time to identify a data breach last year was 206 days. (Source: IBM)
The risks for not taking good care of your data are severe. If you don’t have a team monitoring your IT security, months can go by before you even become aware of a breach.
Find the Right Network Security Soltuion
The right network security solutions will protect your customers and your data. We keep our clients safe by monitoring their data security for them. Our customized network security solutions around your specific business help to reduce the likelihood of an attack.
In the past several months, work from home (WFH) policies have become increasingly popular. The spread of COVID-19 has resulted in a temporary and sometimes permanent WFH environment for many companies throughout the country.
Working from home can be beneficial and many employers and workers are happily embracing the trend. Plus, with remote access solutions, it’s easier for businesses to safely operate from anywhere with a secure, remote connection. Here are some benefits companies see after making a WFH shift:
Improved Employee Satisfaction
Many employees appreciate the option to work from home at least part of the time. The flexibility to choose when to go into an office provides peace of mind to employees who might have to commute far in bad weather or need to deal with an unexpected illness. Most workers prefer organizations that allow a greater balance between life and work.
Increase worker productivity is a major potential benefit for a work from home policy adoption. Studies have shown that in many cases productivity improves when employees work from home.
It may seem that a house has many distractions, but the office may have more. Colleagues visiting, a loud office space, and impromptu meetings can steal away a lot of time. From home, some employees have the opportunity to focus on a task with fewer interruptions.
Less Time Spent Commuting
Anyone who sits in traffic or takes public transportation daily understands the merit of a shortened commute. It’s also greener: cutting down on daily commutes may have a net positive effect on energy savings. At the very least, employees will see a decline in transportation costs and time spent traveling to work.
Recruitment and Retention Improvements
Recruiting top employees remains a serious challenge, but limiting the candidate pool to a local area may mean a company is missing out on potential applicants. Studies by major consulting and recruitment firms are determining that the opportunity to WFH can be a key factor when applying for new jobs. Companies may also lose some of their own workers – the lack of work from home opportunities has been listed as a reason for seeking alternative employment.
Decreased Real Estate Costs
For companies and organizations who believe WFH will be their long-term model, this can mean eliminating office space, cutting considerable fixed-costs out of the bottom line equation.
There are many great benefits of working from home, however, relaxed data security and blurred office hours can become an opportunity for cyber threats. If you’re considering adopting a work from home policy, here are some factors that should be carefully considered:
Equipment and Maintenance
It should be outlined what equipment and utilities employers and employees are responsible for providing and maintaining. Will bandwidth be a reimbursable expense? Will laptops, phones, etc. be provided by the business or will this be a BYOD project?
If technology is provided by the employer, determine the employee’s responsibility to keep it maintained and install upgrades. If you have a BYOD policy, decide if employees required to bring their devices in for upgrades and security checks. Click here to learn more about adopting a BYOD policy.
Fair Labor Standards Act
When employees work from home, overtime laws are still applicable. The Fair Labor Standards Act (FLSA) created a framework for paying wages above the law’s definition of a 40-hour workweek that includes overtime pay for work performed beyond that threshold. Under FLSA, two basic classes of workers are defined: those employees who must be paid overtime when working in excess of forty hours (non-exempt employees), and those who are not required to be compensated for work done beyond the 40-hour limit (exempt employees).
The problem FLSA presents is that non-exempt employees must be paid for all work, including any work activity outside regular working hours. An example of the liability that is created for an employer are employees who respond to texts and emails from home outside “office hours.” This is compensable work and needs to be counted under the 40-hour threshold. Policies that protect you from any violation of FLSA should be articulated clearly in writing.
Be Aware of Organizational Silos
When developing a WFH policy, the above issue of FLSA points out that effective WFH planning and implementation requires collaboration, and not just between individual managers and employees. IT involvement may be necessary – determine who is supporting off-site technology and maintaining data security. It is a human resource issue-will performance measurements need to be tweaked? It may be a legal issue – certain types of data is governed by federal and state laws such as HIPAA and FERPA.
It is extremely important that companies take into consideration the data protection and legal implications before opting for a work from home setup. WFH policies can prove beneficial to both the employer and the employee if planned well and implemented properly.
HIPAA (Health Insurance Portability and Accountability Act) serves as a constant reminder to professionals in the healthcare field that data security is of utmost importance. Every company that works directly with protected health information (PHI), along with their business associates, is required to complete a risk assessment.
What is a Risk Assessment?
HIPAA requires covered entities, which includes health plans, healthcare providers, and healthcare clearinghouses to complete a thorough risk assessment to determine all possible vulnerabilities in terms of data security.
A HIPAA risk assessment should determine that your organization is in compliance with all of the privacy, security and breach notification requirements of HIPAA. It is required of both covered entities and business associates. This can be achieved via the risk assessment process, the goal of which is to identify all of the potential areas of vulnerability.
Why is a HIPPA Risk Assessment Mandatory?
HIPPA regulations exist to cover data security. Covered entities are responsible for assessing, identifying, documenting vulnerabilities and taking precautions to eliminate or mitigate the risk of a breach.
An organization can be fined for the failure of due diligence to recognize areas where a data breach could occur. For example, the Centers for Medicare and Medicaid Services reported a wireless health service provider violated HIPPA Privacy and Security rules when a laptop with PHI was stolen from an employee’s vehicle. The investigation revealed insufficient risk analysis and the company agreed to pay $2.5 million and implement a corrective action plan.
Companies are also subject to a fine fined even if no data has been breached, but they allowed a situation to develop which creates vulnerability.
What Does a HIPPA Risk Assessment Entail?
Due to the unique vulnerabilities of electronically stored and transmitted data, a professional in cybersecurity, data protection, and data backups should handle your risk assessment. Wahaya’s cybersecurity and compliance services can assist your organization with internal compliance and the specific requirements to protect you from legal regulations regarding PHI and HIPAA.
Here is a quick summary of what a risk assessment entails:
A risk assessment should first determine (a) where PHI resides, moves, or is transmitted, and all of the access points. For example, the individuals in an office that have access to patient data and via what media. Interestingly, the rise of mobile devices has created a new area of concern for data security because medical professionals can access data on their phones and tablets.
Unauthorized (malicious or accidental) disclosure, modification, or destruction of information
Unintentional errors and omissions
IT disruptions due to natural or man-made disasters
Failure to exercise due care and diligence in the implementation and operation of the IT system.”
Next, a risk assessment will need to identify and evaluate all of the existing security protocols to protect PHI.
The following step is to determine if these tools are sufficient for data protection and whether the protocols and safeguards are being observed.
After that, identify the likelihood of a threat. In other words, not all risks are of equal likelihood. As there are limits to an organization’s capacity to eliminate risk, the focus should be on the ones which have a higher probability of occurrence.
Finally, calculate the likely consequences of a breach of PHI. If a breach occurs along any particular touchpoint, how severe would it be? Would it be the release of a single piece of PHI, or one affecting thousands?
Given that so much data is now stored electronically, the risk of a data breach is considerably higher and security is far more complex. It needs to be noted that ignorance of any part HIPAA Guidelines is not an excuse for non-compliance. Failure to do a risk assessment, or to have conducted an adequate risk assessment that failed to identify specific vulnerabilities is, in and of itself, a fineable offense.
Given how quickly the digital landscape changes, it is important to consult an expert with experience in HIPAA related digital security. Wahaya IT Consulting can help protect your business and your patients’ PHI from HIPAA violations with a thorough risk analysis, adding data security measures, and following all security and compliance regulations. Click here to contact our team of IT Professionals!
Employees are often the target of cyberattacks that can compromise private company data. New employees in particular can be the most susceptible to common attacks such as social engineering and phishing. To stay ahead of cybercriminals, organizations should educate and train all employees through a top-down IT security approach.
A top-down IT security approach begins with the IT department and management communicating the importance of cybersecurity and creating guidelines for reporting suspicious activity. IT Departments are not the only ones targeted by cybercrimes, leaving the potential for any employee to become a security liability. A top-down approach shifts the sole responsibility away from a single department.
Focus on the first steps you need to take as an organization to better prepare your employees to identify and mitigate cyber threats. For example, employee training is just one part of Wahaya’s layered approach to IT security. Minimizing the of a cyberattack can help to avoid the following repercussions:
Negative affect on brand image: Business disruption due to downtime or having your business data (including customer and vendor details) stolen reflects poorly on your brand.
Loss of customers: Customers may take their business elsewhere if they don’t feel safe sharing their information with you.
Financial loss: Data breaches make you liable to follow certain disclosure requirements mandated by the law. These may require you to make announcements to the media, which can become expensive. You may also have to hire a PR team to address communications during this time.
Potential of lawsuits: A company could be sued by customers whose Personally Identifiable Information (PII) has been compromised or stolen. Depending on the industry, there may also be steep fines for noncompliance.
Your company’s organizational structure should acknowledge the fact that IT security is not only your IT department, CTO, or Managed Service Provider’s (MSP) responsibility. IT Security is dependent on every part of the business. Starting from the top and encompassing every employee within the organization approach will lead to success in keeping customer and business information safe and secure.
You may not think too much about serious disasters. Most of us focus on the day-to-day chores of running our businesses and keeping revenues up. However, there are long term planning concerns that many firms just avoid. Those concerns are managing the risk to your business if something very bad happens. This long-term planning is called risk management and it is the dullest topic ever—until something bad happens.
Business school academics have varying definitions of risk and risk management, but for our purposes the concepts are fairly simple. Risk is the negative uncertainty that comes from any potential loss. Risk management is the collection of activities a business undertakes to mitigate, avoid, and transfer the losses that might damage the business due to some negative event.Risk management, now frequently referred to as Enterprise Risk Management, has been an area of business focus for decades. Businesses have long recognised that they need to look at the financial risks they might face if something happened to their physical assets or were confronted with major litigation. However, in the past few decades, there has been a stronger and broader focus on the entire spectrum of risks that confront a business which has begun to push the issue to the C-suite level. Unfortunately, while large businesses devote serious resources at the the highest level to managing risk to protect their organization, smaller firms often spend little or no time considering risk as an important business issue. Even smaller firms who do take the time to think about protecting against operational threats may be unlikely to consider threats that are a degree or two of separation away from their core business. That means that technology infrastructure may be ignored if, and when, business continuity and disaster recovery plans are being considered.
Background: Why is risk management gaining greater visibility? As noted, risk management isn’t new. However, the last few decades have seen the United States face two major catastrophic events: Hurricane Katrina in 2006 and the terror attacks in 2001. Both brought to the fore the consequences to businesses who are unprepared, as well as the reality that very bad things can happen.
Globalization has also shown that distance does not shield us from the consequences of far away events. The earthquake and subsequent tsunami that hit Japan in 2011 reminded manufacturers and businesses in the United States about the consequences of their reliance on long supply chains and just-in-time inventory.
Another new threat that has alerted even the smallest firms to their vulnerability is technological. For a small firm, a major man-made or natural disaster may seem too distant to distract management from day-to-day operations, but the emergence of cyber threats, ransomware, hacking and data theft has really hit home for every organization out there. Even smaller firms totally focussed on making it day-to-day are taking notice of this threat. Have you really given thought to how you would handle a disaster?
In our recent blog, we talked about the data security concerns that BYOD can bring to your workplace. There is another factor that needs to be considered before adopting BYOD. How much Bring Your Own can your IT department support? Supporting too many different operating systems, hardware models and software versions can be a real drain on the resources of your IT staff. Supporting BYOD can become very expensive.
You will need to consider placing limits on the BYO part of the issue. There are a wide array of possible devices out there. Supporting all of them would be overwhelming. Users don’t just BYOD, they bring their own Operating System and their own software applications and all of those applications’ multiple versions. Trying to support and control an almost limitless list of entry points into your data is both unwise and impossible. IT will need to place limits on which devices and operating systems it will support.
Another point to consider is how much the company will rely on the individual user to install and upgrade company-required applications? Will IT be responsible for those duties? By placing the burden on IT, you ensure all the proper versions are being used, but you increase the labor requirement, which may become impractical.
In summary, there are a lot of issues regarding BYOD that create concerns. BYOD policies have a lot of moving parts which makes supporting them a difficult task. Make sure you are recognizing all the areas that will require IT support.
Employers know that employees prefer BYOD policies and that they can increase productivity. However, BYOD can have some downsides. Probably the most prominent concern among those who have to address the BYOD issue is the increased risk to data security. Obviously, the more devices you have with the ability to connect to your data, the more opportunities you create for a breach. Simply put, a house with 20 doors and 50 windows with multiple lock styles is a bit more vulnerable than a house with one door and one window.
BYOD increases risk to the organization. Data breaches bring a few layers of concern. First, the loss of proprietary data can affect your competitive status in the market. However, the real high-visibility concern is the theft of your customer’s personal data. Theft of personal data brings three serious consequences.
First, data breach laws require informing all victims of the data breach and in some cases, the media must also be informed. This public visibility can have long-lasting implications for brand value.
Second, you face a short- and long-term revenue hit. Customers angry and frustrated, as well as others who learn about the breach through social media, word-of-mouth, and traditional media sources, may move their business to the competition.
Third, data breaches can bring civil penalties. In the case of the General Data Protection Regulation (GDPR) in the European Union, these penalties can be extremely severe. ( And keep in mind, the GDPR doesn’t just apply to entities physical operating within the EU. It applies to the data of any user who is a citizen of the EU.)
In summary, given the severity of the consequences and the increased vulnerability created by BYOD, it is important to create a BYOD policy with strict parameters. It cannot be a “wild west” of anything goes.
Have you come across the term, dark web, recently? As a business, you might have heard that you need to keep your data safe from the dark web. So, what is the dark web anyway? Read on to find out…
What is the dark web?
The cybercrime landscape is evolving fast. The “Nigerian” email scams are now old. Cybercriminals are smarter and more organized now–almost functioning like professionals. In fact, there’s a sort of a parallel universe where they all operate in a very corporate-like manner. And that parallel universe is called the Dark Web.
The surface web, the deep web and the dark web
Essentially, the internet can be categorized into 3 parts.
The surface web, which includes your ‘regular’ websites–the kinds that just show up on web searches. For example, you type, Dog Videos and links to a bunch of dog videos on YouTube shows up. YouTube, in this case, is an example of the surface web.
The deep web, which shows up in web searches, but requires you to log in to view specific content. For example, your internet banking page or your netflix subscription.
Then comes the dark web.
The dark web is part of the internet that isn’t visible to search engines and requires the use of an anonymizing browser called Tor to be accessed. The dark web offers anonymity and hence is the hub for all sorts of illicit activities in today’s internet age. Strictly speaking, the dark web typically hosts illicit content. The kind of content that you find in the dark web include
Credit card details, stolen login credentials for something as serious as internet banking accounts to something as trivial as Uber or Netflix,
Contact details/communication platform for striking deals with hitmen, drug dealers, weapon dealers, hackers, etc.,
Marketplace to buy malicious codes to help corrupt or jam IT systems and even RaaS (Ransomeware as a service!)
All of the above and more, for a fee of course. In short, the dark web is like the underworld of the internet.