Category: Compliance

Work From Home Policy Benefits and Considerations

working from home

In the past several months, work from home (WFH) policies have become increasingly popular. The spread of COVID-19 has resulted in a temporary and sometimes permanent WFH environment for many companies throughout the country. 

Working from home can be beneficial and many employers and workers are happily embracing the trend. Plus, with remote access solutions, it’s easier for businesses to safely operate from anywhere with a secure, remote connection. Here are some benefits companies see after making a WFH shift:

Improved Employee Satisfaction

Many employees appreciate the option to work from home at least part of the time. The flexibility to choose when to go into an office provides peace of mind to employees who might have to commute far in bad weather or need to deal with an unexpected illness. Most workers prefer organizations that allow a greater balance between life and work.

Increased Productivity

Increase worker productivity is a major potential benefit for a work from home policy adoption. Studies have shown that in many cases productivity improves when employees work from home.

It may seem that a house has many distractions, but the office may have more. Colleagues visiting, a loud office space, and impromptu meetings can steal away a lot of time. From home, some employees have the opportunity to focus on a task with fewer interruptions.

Less Time Spent Commuting

Anyone who sits in traffic or takes public transportation daily understands the merit of a shortened commute. It’s also greener: cutting down on daily commutes may have a net positive effect on energy savings. At the very least, employees will see a decline in transportation costs and time spent traveling to work.

Recruitment and Retention Improvements

Recruiting top employees remains a serious challenge, but limiting the candidate pool to a local area may mean a company is missing out on potential applicants. Studies by major consulting and recruitment firms are determining that the opportunity to WFH can be a key factor when applying for new jobs. Companies may also lose some of their own workers – the lack of work from home opportunities has been listed as a reason for seeking alternative employment.

Decreased Real Estate Costs

For companies and organizations who believe WFH will be their long-term model, this can mean eliminating office space, cutting considerable fixed-costs out of the bottom line equation.

There are many great benefits of working from home, however, relaxed data security and blurred office hours can become an opportunity for cyber threats. If you’re considering adopting a work from home policy, here are some factors that should be carefully considered:

Equipment and Maintenance 

It should be outlined what equipment and utilities employers and employees are responsible for providing and maintaining. Will bandwidth be a reimbursable expense? Will laptops, phones, etc. be provided by the business or will this be a BYOD project?

If technology is provided by the employer, determine the employee’s responsibility to keep it maintained and install upgrades. If you have a BYOD policy, decide if employees required to bring their devices in for upgrades and security checks. Click here to learn more about adopting a BYOD policy.

Fair Labor Standards Act 

When employees work from home, overtime laws are still applicable. The Fair Labor Standards Act (FLSA) created a framework for paying wages above the law’s definition of a 40-hour workweek that includes overtime pay for work performed beyond that threshold. Under FLSA, two basic classes of workers are defined: those employees who must be paid overtime when working in excess of forty hours (non-exempt employees), and those who are not required to be compensated for work done beyond the 40-hour limit (exempt employees).

The problem FLSA presents is that non-exempt employees must be paid for all work, including any work activity outside regular working hours. An example of the liability that is created for an employer are employees who respond to texts and emails from home outside “office hours.” This is compensable work and needs to be counted under the 40-hour threshold. Policies that protect you from any violation of FLSA should be articulated clearly in writing.

Be Aware of Organizational Silos

When developing a WFH policy, the above issue of FLSA points out that effective WFH  planning and implementation requires collaboration, and not just between individual managers and employees. IT involvement may be necessary – determine who is supporting off-site technology and maintaining data security. It is a human resource issue-will performance measurements need to be tweaked? It may be a legal issue – certain types of data is governed by federal and state laws such as HIPAA and FERPA.

It is extremely important that companies take into consideration the data protection and legal implications before opting for a work from home setup. WFH policies can prove beneficial to both the employer and the employee if planned well and implemented properly.

No matter if you’re in the office or at home, networks need to be secure and maintained. MSPs like Wahaya can help ease the telecommuting transition with remote access solutions and business data continuity plans. Contact us to start setting up your business to operate from any time, anywhere!

Staying Compliant in Healthcare: Conducting a HIPAA Risk Assessment

HIPAA (Health Insurance Portability and Accountability Act) serves as a constant reminder to professionals in the healthcare field that data security is of utmost importance. Every company that works directly with protected health information (PHI), along with their business associates, is required to complete a risk assessment.

What is a Risk Assessment?

HIPAA requires covered entities, which includes health plans, healthcare providers, and healthcare clearinghouses to complete a thorough risk assessment to determine all possible vulnerabilities in terms of data security. 

A HIPAA risk assessment should determine that your organization is in compliance with all of the privacy, security and breach notification requirements of HIPAA. It is required of both covered entities and business associates. This can be achieved via the risk assessment process, the goal of which is to identify all of the potential areas of vulnerability. 

Why is a HIPPA Risk Assessment Mandatory?  

HIPPA regulations exist to cover data security. Covered entities are responsible for assessing, identifying, documenting vulnerabilities and taking precautions to eliminate or mitigate the risk of a breach.

An organization can be fined for the failure of due diligence to recognize areas where a data breach could occur. For example, the Centers for Medicare and Medicaid Services reported a wireless health service provider violated HIPPA Privacy and Security rules when a laptop with PHI was stolen from an employee’s vehicle. The investigation revealed insufficient risk analysis and the company agreed to pay $2.5 million and implement a corrective action plan. 

Companies are also subject to a fine fined even if no data has been breached, but they allowed a situation to develop which creates vulnerability. 

What Does a HIPPA Risk Assessment Entail? 

Due to the unique vulnerabilities of electronically stored and transmitted data, a professional in cybersecurity, data protection, and data backups should handle your risk assessment. Wahaya’s cybersecurity and compliance services can assist your organization with internal compliance and the specific requirements to protect you from legal regulations regarding PHI and HIPAA. 

Here is a quick summary of what a risk assessment entails:

A risk assessment should first determine (a) where PHI resides, moves, or is transmitted, and all of the access points. For example, the individuals in an office that have access to patient data and via what media. Interestingly, the rise of mobile devices has created a new area of concern for data security because medical professionals can access data on their phones and tablets.

Then, the assessment should determine the vulnerabilities along all of these touchpoints. That means identifying the threats to data security, which HHS summarizes in four categories:

  1. Unauthorized (malicious or accidental) disclosure, modification, or destruction of information
  2. Unintentional errors and omissions
  3. IT disruptions due to natural or man-made disasters
  4. Failure to exercise due care and diligence in the implementation and operation of the IT system.”

Next, a risk assessment will need to identify and evaluate all of the existing security protocols to protect PHI.

The following step is to determine if these tools are sufficient for data protection and whether the protocols and safeguards are being observed. 

After that, identify the likelihood of a threat. In other words, not all risks are of equal likelihood. As there are limits to an organization’s capacity to eliminate risk, the focus should be on the ones which have a higher probability of occurrence.

Finally, calculate the likely consequences of a breach of PHI. If a breach occurs along any particular touchpoint, how severe would it be? Would it be the release of a single piece of PHI, or one affecting thousands?

Given that so much data is now stored electronically, the risk of a data breach is considerably higher and security is far more complex. It needs to be noted that ignorance of any part HIPAA Guidelines is not an excuse for non-compliance. Failure to do a risk assessment, or to have conducted an adequate risk assessment that failed to identify specific vulnerabilities is, in and of itself, a fineable offense.

Given how quickly the digital landscape changes, it is important to consult an expert with experience in HIPAA related digital security. Wahaya IT Consulting can help protect your business and your patients’ PHI from HIPAA violations with a thorough risk analysis, adding data security measures, and following all security and compliance regulations. Click here to contact our team of IT Professionals!

Managing Cybersecurity with a Top-Down Approach

Employees are often the target of cyberattacks that can compromise private company data. New employees in particular can be the most susceptible to common attacks such as social engineering and phishing. To stay ahead of cybercriminals, organizations should educate and train all employees through a top-down IT security approach.

A top-down IT security approach begins with the IT department and management communicating the importance of cybersecurity and creating guidelines for reporting suspicious activity. IT Departments are not the only ones targeted by cybercrimes, leaving the potential for any employee to become a security liability. A top-down approach shifts the sole responsibility away from a single department.

A combination of general security training and instructions to recognize and report breaches are essential for keeping company data safe. Wahaya IT Consulting works with organizations to create a custom IT Policy handbook to distribute to every employee. Click here to see more of our recommended cybersecurity training best practices.

Focus on the first steps you need to take as an organization to better prepare your employees to identify and mitigate cyber threats. For example, employee training is just one part of Wahaya’s layered approach to IT security. Minimizing the of a cyberattack can help to avoid the following repercussions: 

  • Negative affect on brand image: Business disruption due to downtime or having your business data (including customer and vendor details) stolen reflects poorly on your brand.
  • Loss of customers: Customers may take their business elsewhere if they don’t feel safe sharing their information with you.
  • Financial loss: Data breaches make you liable to follow certain disclosure requirements mandated by the law. These may require you to make announcements to the media, which can become expensive. You may also have to hire a PR team to address communications during this time. 
  • Potential of lawsuits: A company could be sued by customers whose Personally Identifiable Information (PII) has been compromised or stolen. Depending on the industry, there may also be steep fines for noncompliance. 

Your company’s organizational structure should acknowledge the fact that IT security is not only your IT department, CTO, or Managed Service Provider’s (MSP) responsibility. IT Security is dependent on every part of the business. Starting from the top and encompassing every employee within the organization approach will lead to success in keeping customer and business information safe and secure.

Cover your vulnerabilities with a cybersecurity prevention plan. Contact us to learn more about our cybersecurity solutions.

Adopting a BYOD policy

Employee convenience is touted as one of the primary drivers for adopting a BYOD policy. However, just because it can make life easier doesn’t mean employees don’t have serious concerns about the implementation of BYOD in the workplace. From the employee perspective, there are downsides.

One particular issue that arises with BYOD are employee’s concerns about the privacy of personal data and applications. Because these are their own devices, they have an enormous amount of personal data, including health information, photos, texts, emails and other information stored on the device. Also, apps they may have installed could potentially reveal information about their religion, politics, sexual orientation or other characteristics that they may consider private and off-limits. Concern that their employer could see their personal data is a legitimate worry; there are Human Resource implications here. Knowledge of certain data about an employee could make an employer vulnerable to discrimination laws. What about GPS tracking? Can the employer track employee whereabouts? The employer has a compelling interest to track the device in case it is lost or stolen, but the employee has similar competing concerns about privacy.

There are no absolutely correct answers here, but a perception of overstepped boundaries could lead to an atmosphere of distrust that can be counter-productive. It is also important that these decisions be made with knowledge of all applicable local, state and federal regulations. In short, just be aware BYOD is a complex matter that can’t be handled within the silo of IT.

Click here to learn more about our cybersecurity and compliance solutions.

Website cloning: Don’t fall for that trap!

Website cloning: Don’t fall for that trap!

Have you watched one of those horror movies where the something impersonates the protagonist only to wreak havoc later? Well, website cloning does the same thing–to your business–in real life. Website cloning is one of the most popular methods among scammers to fleece you of your money.

As the name suggests, the cybercriminal first creates a ‘clone’ site of the original one. There can be a clone of any website, though retail shopping sites, travel booking sites and banks are the favorites of cybercriminals. The clone site looks exactly like the original one, barring a very miniscule change in the url.

Next, they will create a trap intended to get unsuspecting victims to visit the clone site. This is usually done via links shared through emails, SMS messages or social media posts asking them to click on a link to the clone site. The message urges the recipient to take an action. For example, a message that presents itself as though it is from the IRS, asking the recipient to pay pending taxes by clicking on a specific link to avoid a fine or business shutdown, or an SMS about a time-bound discount on iPads. Sometimes, they go straight for the target and masquerade as a message from your bank asking you to authenticate your credentials by logging into your banking portal–the only glitch, the banking portal will be a clone.

Staying safe

So, how do you identify a clone website and a dubious message?

  • Does the email sound too good to be true? Well, then it probably is. Nike giving away free shoes? Emirates Airlines giving you free tickets to Europe? Apple iPhone X for just $20? All of these scream SCAM!
  • Even if the message sounds genuine, such as an email from your bank asking you to authenticate your login credentials, check the email header to see if the sender’s email domain matches your bank’s. For example, if your bank is Bank of America, the sender’s email ID should have that in the domain. Something like customercare@bankofamerica.com could be genuine, whereas, customercare@bankofamerica.net is suspicious.
  • Check the final URL before you enter any information to make sure it is the actual one. Most shopping/banking websites, where payments are made and other personal details are shared are secure (HTTPS)and will have a lock symbol at the beginning of the URL. Also, check the domain. For example, something like- www.customerauthentication.com/bankofamerica is not

Identifying a cloned website is tricky, but it is not something you can afford to ignore. Giving away your personal and financial information to a fraudster can cause a lot of harm to you and your business.

Click here to learn more about our cybersecurity and compliance solutions.

BYOD=Bring your own disaster?

BYOD=Bring your own disaster?

Workplaces today have changed. They extend beyond the working hours, beyond the cubicles. Whether you are commuting to work or even vacationing, chances are you or your employees take a break from the break to reply to those important emails that require ‘immediate action’. Plus, there may even be employees who are not even on the same continent as you. What does all this mean for your business in terms of IT security? Does BYOD translate to bring your own disaster to work? This blog explores the risks of BYOD culture and offers tips on how you can avoid them.

When you adopt a BYOD culture at your business, you are opening the virtual floodgates to all kind of malwares and phishing attacks. Your employee may be storing work-related data on their personal devices and then clicking a malicious link they received on their personal email or (even whatsapp in case of tablets or smartphones) and put your entire network at risk. Secondly, you cannot control how your employees use their personal devices. They may connect to unauthorized networks, download unauthorized software programs, use outdated antivirus programs etc,. Even something as simple and harmless as the free wifi at the mall can spell danger for your data.

What you can do?

First of all, if you have decided to adopt the BYOD culture in your organization, ensure you have a strong BYOD policy in place. It should cover the dos and don’ts and define boundaries and responsibilities related to the BYOD environment.

It also makes sense for you to invest in strong antivirus software and mandate those employees following the BYOD model to install it. You can also conduct device audits to ensure your employee’s personal devices are up-to-date in terms of software, security and firewall requirements to the extent that they are safe to be used for work purpose.

And one of the most important aspects–train your employees on the best practices related to basic data security, access and BYOD environments. This will ensure that they don’t make mistakes that prove costly to you. You can conduct mock drills, tests and certifications and provide the BYOD privilege to only those who clear your tests. You could also use positive and negative reinforcements to ensure everyone takes it seriously.

BYOD is great in terms of the flexibility it lends to both–the employer and the employee, and the trend is here to stay. It is up to businesses to ensure it helps more than it can hurt.

Click here to learn more about our cybersecurity solutions.

3 things your Managed Services Provider (MSP) wants you to know

Are you considering bringing a MSP on board? Or perhaps you already have one. Either way, for you to truly benefit from your relationship with a MSP, you need to build a solid bond with them. As a MSP who has been in this business for long, I can tell you the 3 important steps that will help you get there.

Share, share, share

Your MSP is your IT doctor. Just as you would share everything about your health with your doctor, you need to share everything related to your business that impacts your IT, with your MSP. Give us an overview of your business and answer questions such as

  • What you do exactly as a business
  • Who are your key clients
  • Which industry verticals do you serve
  • What are your peak and lull seasons, if you have them
  • What are the core regulatory codes that apply to you based on the industries you work for
  • What are your business expansion plans for the near future and in the long run

Sometimes clients shy away from discussing all these things because they don’t trust the MSP enough. There is a fear of the MSP sharing business plans and other confidential information with their competitors. As a MSP, I can tell you that we work best with clients who trust us. When you are trusting us with the lifeblood of your business–your IT infrastructure, you should be able to trust us with your plans for your business.

Let’s talk often

While it’s great that you outsource your IT completely to us, it is still important that we meet and talk. Your business needs may change over time and we don’t want to be caught off-guard. We know you are busy, but set some time aside every month or even every quarter to catch up with us and discuss your IT challenges and needs.

Take us seriously

Your IT is our business, and we take our business very seriously. So, when we tell you something, such as–to implement strong password policies, limit data access, upgrade antivirus, etc., please take notice!

Teamwork forms the core of any successful relationship. Same holds true for your relationship with your MSP.  Trust us, pay attention to us and hear us out. We’d love that…and we’d love to work with you!

Don’t make these IT mistakes as you grow!

During the course of IT consultancy, we come across a lot of clients who are not happy with the way their IT shaped up over the years. They feel their IT investments never really yielded the kind of returns they expected and come to us looking to change the trend. When analyzing the reasons for the failure of their IT investment, here’s what we come across most often.

Not prioritizing IT

This is the #1 mistake SMBs make. When focusing on growing their business, most SMBs think marketing, sales and inventory, but very few consider allocating resources–monetary or otherwise towards IT. IT is seen as a cost-center, rarely prioritized and any investment in IT is made begrudgingly.

Going for the fastest, latest or even the ‘best’ technology–which may not be the best for you

This is in contrast to the issue discussed above. Many SMBs realize the key role that IT plays in their business success. But they tend to get carried away and invest in the latest IT trends without considering whether it fits their business needs well, or if they really need it. Sometimes it is just a case of keeping up with the Joneses. But, why spend on the fastest computers or largest hard drives when you get only incremental productivity benefits?

Your team is not with you

When you bring in new technology or even new IT policies, it is your team that needs to work on it on a daily basis. If your staff is not on the same page with you, your IT investment is unlikely to succeed. So, before you make that transition from local desktops to the cloud, or from Windows to iOs or roll out that new BYOD policy, make sure you have your staff on your side.

You are not sure how to put it to good use

The lure of new technology is like a shiny, new toy. Investing in something popular and then not using it to its maximum is commonplace. Make sure you make the most of your investment in IT by providing your staff with adequate training on how to use it.

IT can seem challenging to navigate when you have to do it all by yourself. It entails steep costs when taken care of in-house. Add to that the complex task of deciding what IT investment you will benefit the most from and then training your team to use it…all of this is pretty daunting when you have to do it all by yourself. A MSP has the experience and expertise needed to be your trusted partner and guide in these challenges, helping you make the most of your IT investment.

Click here to learn more about our managed service provider solutions.

Assessing your MSP in the first appointment

Handing over your IT to a MSP is a major decision. Who do you choose and more importantly, how? While there’s no rulebook that will tell you exactly how to proceed, here are a few hints that can help you decide how invested your prospective MSP is into you.

How well do they know your industry vertical

It is important that your MSP truly understands the industry-specific IT challenges you face so they can help you overcome those challenges effectively. For example, do you have a commonly used software program or any governmental or regulatory mandates that you must be adhering to. Is your MSP knowledgeable on that front?

How well do they know you and your values

How well does this MSP know your business in particular. Have they invested time in learning a bit about you from sources other than you–like your website, press releases, etc.? Do they understand your mission, vision and values and are they on the same page as you on those? This is important because you and your MSP have to work as a team and when start to see things from your point of view, it is going to be easier for you to build a mutually trusting, lasting relationship with them.

References and testimonials

References are a great tool to assess your prospective MSPs. Ask them to provide you with as many references and testimonials as they can. It would be even better if their references and testimonials are from clients who happen to know you personally, or are in the same industry vertical as you or are well-known brands that need no introduction.

Are they talking in jargons or talking so you understand

Your MSP is an IT whiz, but most likely you are not. So, instead of throwing IT terminology (jargons) on you, they should be speaking in simple layman terms so you understand and are comfortable having a conversation with them. If that doesn’t happen, then probably they are not the right fit for you.

Were they on time

Did your MSP show up when they said they would? Punctuality goes a long way in business relationships and more so in this case as you want your IT person to ‘be there’ when an emergency strikes.

While there are many factors that go into making the MSP-client relationship a success, the ones discussed above can be assessed during your very first meeting. They are kind of like very basic prerequisites. Make sure these basic conditions are fulfilled before you decide on a second meeting.

Click here to learn more about our managed service provider solutions.

Hiring seasonal staff? Here are a few things to consider from the IT

In many industries, there are seasonal spikes in business around specific times. For example, CPAs/Accounting firms, though busy all year, generally see a spike in business around the time of tax planning, IRS return filing, etc., the retail industry sees a boom around the Holiday Season, and so on. During such peak times, it is common practice in the industry to employ part-time staff to meet the immediate resource needs. While this works well in terms of costs and for handling additional work/client inflow, this poses a few challenges from the IT perspective. In this blog, we explore those challenges so you know what to watch out for before bringing part-time staff on board.

Security

When you are hiring someone part-time, security could be a concern. You or your HR person may have done a background check, but their risk score nevertheless remains much higher than permanent employees who are on your payroll. Trusting a temp worker with customer and business data is a risky choice.

Infrastructure

Having seasonal employees is a good solution to temporary spike in workload. But, there is still a need to provide your temps with the resources they need to perform their tasks efficiently. Computers, server space, internet and phone connectivity, all need to be made available to your temp workforce as well.

Lack of training

Your permanent employees will most likely have been trained in IT Security best practices, but what about your temps? When hiring short-term staff, SMBs and even bigger organizations rarely invest any time or resources in general training and induction. Usually brought in during the peak seasons, temps are expected to get going at the earliest. Often IT drills and security trainings have no place in such hurried schedules.

Collaboration needs

Often businesses hire seasonal staff from across the country or even the globe because it may offer cost savings. In such cases when the seasonal staff is working remotely, there is a need to ensure the work environment is seamless. High quality collaboration tools for file sharing and access and communication needs to be in place.

Having part-time or seasonal staff is an excellent solution to time-specific resource needs. However, for it to work as intended–smoothly and in-tandem with the work happening at your office, and without any untoward happenings–such as a security breach, businesses need to consider the aspects discussed above. A MSP will be able to help by managing them for you, in which case hiring temps will be all you need to think of.

Click to learn more about our managed service provider solutions.