In the past several months, work from home (WFH) policies have become increasingly popular. The spread of COVID-19 has resulted in a temporary and sometimes permanent WFH environment for many companies throughout the country.
Working from home can be beneficial and many employers and workers are happily embracing the trend. Plus, with remote access solutions, it’s easier for businesses to safely operate from anywhere with a secure, remote connection. Here are some benefits companies see after making a WFH shift:
Improved Employee Satisfaction
Many employees appreciate the option to work from home at least part of the time. The flexibility to choose when to go into an office provides peace of mind to employees who might have to commute far in bad weather or need to deal with an unexpected illness. Most workers prefer organizations that allow a greater balance between life and work.
Increase worker productivity is a major potential benefit for a work from home policy adoption. Studies have shown that in many cases productivity improves when employees work from home.
It may seem that a house has many distractions, but the office may have more. Colleagues visiting, a loud office space, and impromptu meetings can steal away a lot of time. From home, some employees have the opportunity to focus on a task with fewer interruptions.
Less Time Spent Commuting
Anyone who sits in traffic or takes public transportation daily understands the merit of a shortened commute. It’s also greener: cutting down on daily commutes may have a net positive effect on energy savings. At the very least, employees will see a decline in transportation costs and time spent traveling to work.
Recruitment and Retention Improvements
Recruiting top employees remains a serious challenge, but limiting the candidate pool to a local area may mean a company is missing out on potential applicants. Studies by major consulting and recruitment firms are determining that the opportunity to WFH can be a key factor when applying for new jobs. Companies may also lose some of their own workers – the lack of work from home opportunities has been listed as a reason for seeking alternative employment.
Decreased Real Estate Costs
For companies and organizations who believe WFH will be their long-term model, this can mean eliminating office space, cutting considerable fixed-costs out of the bottom line equation.
There are many great benefits of working from home, however, relaxed data security and blurred office hours can become an opportunity for cyber threats. If you’re considering adopting a work from home policy, here are some factors that should be carefully considered:
Equipment and Maintenance
It should be outlined what equipment and utilities employers and employees are responsible for providing and maintaining. Will bandwidth be a reimbursable expense? Will laptops, phones, etc. be provided by the business or will this be a BYOD project?
If technology is provided by the employer, determine the employee’s responsibility to keep it maintained and install upgrades. If you have a BYOD policy, decide if employees required to bring their devices in for upgrades and security checks. Click here to learn more about adopting a BYOD policy.
Fair Labor Standards Act
When employees work from home, overtime laws are still applicable. The Fair Labor Standards Act (FLSA) created a framework for paying wages above the law’s definition of a 40-hour workweek that includes overtime pay for work performed beyond that threshold. Under FLSA, two basic classes of workers are defined: those employees who must be paid overtime when working in excess of forty hours (non-exempt employees), and those who are not required to be compensated for work done beyond the 40-hour limit (exempt employees).
The problem FLSA presents is that non-exempt employees must be paid for all work, including any work activity outside regular working hours. An example of the liability that is created for an employer are employees who respond to texts and emails from home outside “office hours.” This is compensable work and needs to be counted under the 40-hour threshold. Policies that protect you from any violation of FLSA should be articulated clearly in writing.
Be Aware of Organizational Silos
When developing a WFH policy, the above issue of FLSA points out that effective WFH planning and implementation requires collaboration, and not just between individual managers and employees. IT involvement may be necessary – determine who is supporting off-site technology and maintaining data security. It is a human resource issue-will performance measurements need to be tweaked? It may be a legal issue – certain types of data is governed by federal and state laws such as HIPAA and FERPA.
It is extremely important that companies take into consideration the data protection and legal implications before opting for a work from home setup. WFH policies can prove beneficial to both the employer and the employee if planned well and implemented properly.
No matter if you’re in the office or at home, networks need to be secure and maintained. MSPs like Wahaya can help ease the telecommuting transition with remote access solutions and business data continuity plans. Contact us to start setting up your business to operate from any time, anywhere!
HIPAA (Health Insurance Portability and Accountability Act) serves as a constant reminder to professionals in the healthcare field that data security is of utmost importance. Every company that works directly with protected health information (PHI), along with their business associates, is required to complete a risk assessment.
What is a Risk Assessment?
HIPAA requires covered entities, which includes health plans, healthcare providers, and healthcare clearinghouses to complete a thorough risk assessment to determine all possible vulnerabilities in terms of data security.
A HIPAA risk assessment should determine that your organization is in compliance with all of the privacy, security and breach notification requirements of HIPAA. It is required of both covered entities and business associates. This can be achieved via the risk assessment process, the goal of which is to identify all of the potential areas of vulnerability.
Why is a HIPPA Risk Assessment Mandatory?
HIPPA regulations exist to cover data security. Covered entities are responsible for assessing, identifying, documenting vulnerabilities and taking precautions to eliminate or mitigate the risk of a breach.
An organization can be fined for the failure of due diligence to recognize areas where a data breach could occur. For example, the Centers for Medicare and Medicaid Services reported a wireless health service provider violated HIPPA Privacy and Security rules when a laptop with PHI was stolen from an employee’s vehicle. The investigation revealed insufficient risk analysis and the company agreed to pay $2.5 million and implement a corrective action plan.
Companies are also subject to a fine fined even if no data has been breached, but they allowed a situation to develop which creates vulnerability.
What Does a HIPPA Risk Assessment Entail?
Due to the unique vulnerabilities of electronically stored and transmitted data, a professional in cybersecurity, data protection, and data backups should handle your risk assessment. Wahaya’s cybersecurity and compliance services can assist your organization with internal compliance and the specific requirements to protect you from legal regulations regarding PHI and HIPAA.
Here is a quick summary of what a risk assessment entails:
A risk assessment should first determine (a) where PHI resides, moves, or is transmitted, and all of the access points. For example, the individuals in an office that have access to patient data and via what media. Interestingly, the rise of mobile devices has created a new area of concern for data security because medical professionals can access data on their phones and tablets.
Then, the assessment should determine the vulnerabilities along all of these touchpoints. That means identifying the threats to data security, which HHS summarizes in four categories:
- Unauthorized (malicious or accidental) disclosure, modification, or destruction of information
- Unintentional errors and omissions
- IT disruptions due to natural or man-made disasters
- Failure to exercise due care and diligence in the implementation and operation of the IT system.”
Next, a risk assessment will need to identify and evaluate all of the existing security protocols to protect PHI.
The following step is to determine if these tools are sufficient for data protection and whether the protocols and safeguards are being observed.
After that, identify the likelihood of a threat. In other words, not all risks are of equal likelihood. As there are limits to an organization’s capacity to eliminate risk, the focus should be on the ones which have a higher probability of occurrence.
Finally, calculate the likely consequences of a breach of PHI. If a breach occurs along any particular touchpoint, how severe would it be? Would it be the release of a single piece of PHI, or one affecting thousands?
Given that so much data is now stored electronically, the risk of a data breach is considerably higher and security is far more complex. It needs to be noted that ignorance of any part HIPAA Guidelines is not an excuse for non-compliance. Failure to do a risk assessment, or to have conducted an adequate risk assessment that failed to identify specific vulnerabilities is, in and of itself, a fineable offense.
Given how quickly the digital landscape changes, it is important to consult an expert with experience in HIPAA related digital security. Wahaya IT Consulting can help protect your business and your patients’ PHI from HIPAA violations with a thorough risk analysis, adding data security measures, and following all security and compliance regulations. Click here to contact our team of IT Professionals!
Employees are often the target of cyberattacks that can compromise private company data. New employees in particular can be the most susceptible to common attacks such as social engineering and phishing. To stay ahead of cybercriminals, organizations should educate and train all employees through a top-down IT security approach.
A top-down IT security approach begins with the IT department and management communicating the importance of cybersecurity and creating guidelines for reporting suspicious activity. IT Departments are not the only ones targeted by cybercrimes, leaving the potential for any employee to become a security liability. A top-down approach shifts the sole responsibility away from a single department.
A combination of general security training and instructions to recognize and report breaches are essential for keeping company data safe. Wahaya IT Consulting works with organizations to create a custom IT Policy handbook to distribute to every employee. Click here to see more of our recommended cybersecurity training best practices.
Focus on the first steps you need to take as an organization to better prepare your employees to identify and mitigate cyber threats. For example, employee training is just one part of Wahaya’s layered approach to IT security. Minimizing the of a cyberattack can help to avoid the following repercussions:
- Negative affect on brand image: Business disruption due to downtime or having your business data (including customer and vendor details) stolen reflects poorly on your brand.
- Loss of customers: Customers may take their business elsewhere if they don’t feel safe sharing their information with you.
- Financial loss: Data breaches make you liable to follow certain disclosure requirements mandated by the law. These may require you to make announcements to the media, which can become expensive. You may also have to hire a PR team to address communications during this time.
- Potential of lawsuits: A company could be sued by customers whose Personally Identifiable Information (PII) has been compromised or stolen. Depending on the industry, there may also be steep fines for noncompliance.
Your company’s organizational structure should acknowledge the fact that IT security is not only your IT department, CTO, or Managed Service Provider’s (MSP) responsibility. IT Security is dependent on every part of the business. Starting from the top and encompassing every employee within the organization approach will lead to success in keeping customer and business information safe and secure.
Cover your vulnerabilities with a cybersecurity prevention plan. Contact us to learn more about our cybersecurity solutions.
Cloud security is defined as the protection of data stored online via cloud computing platforms. Reviewing the benefits and risks associated with cloud security can help organizations find the right cloud security approach to match their needs.
The Benefits of Cloud Services
Many small businesses, consumer industries, and health care environments have switched to cloud technology to store their data. The Cloud offers numerous benefits over the traditional, physical on-site server. It is a great choice, especially for SMBs who don’t want to be burdened with higher in-house IT costs. Click here to learn more about Wahaya’s managed cloud services.
Reasons for switching to the cloud include:
- Anytime, anywhere access to your data: Information in the Cloud can be accessed from anywhere using an internet connection, unlike in the case of traditional servers, where a physical connection to the servers is needed.
- Significant cost savings: Reduce hardware costs, because you do not need to invest in physical hardware.
- Shared storage leads to cost savings: The Cloud lets you share space with others while maintaining a secure environment in general. It follows a ‘pay-as-you-use’ approach to data storage allowing you to enjoy cost savings based on your data storage needs. Traditional options require you to pay for and purchase a whole new server if your data storage needs exceed the existing capacity.
- SaaS compatibility and support: Since software can be hosted in the Cloud, it allows the use of Software-as-a-Service.
- Scalability: The Cloud lets you scale up and down as your business needs change.
- 24/7 monitoring, support, and greater access reliability: When your data is in the Cloud, the Cloud service provider is responsible for keeping it safe and ensuring it is securely accessible at all times. They monitor the cloud’s performance and in the event of any performance issues, they provide immediate tech support to resolve the problem.
Organizations must not only protect consumer information to satisfy customers, but many must follow regulations for storing sensitive data. Common personal data stored that is protected by regulations are credit card and healthcare information. In particular, healthcare providers must implement a cloud solution that is HIPAA compliant. Different environments will face unique privacy and security concerns.
Threats to Cloud Security
Putting your data in the Cloud is not completely risk-free. Just as storing data on physical servers has its security threats, the Cloud presents certain security concerns as well.
To protect your network, Wahaya offers managed a layered approach to security. Cloud backups, continuous employee training, filtering, and AI-based malware learning all work as different layers to our security approach. Our various levels of defense minimize the possibility of cyber threats slipping through.
Major threats to cloud security include:
- Data breach: A data breach is when your data is accessed by someone who is not authorized to do so.
- Data loss: A data loss is a situation where your data in the Cloud is destroyed due to certain circumstances such as technological failure or neglect during any stage of data processing or storage.
- Account hijacking: Like traditional servers, data in the Cloud could be stolen through account hijacking as well. In fact, Cloud account hijacking is predominantly deployed in cybercrimes that require identity thefts and wrongful impersonation
- Service traffic hijacking: In a service traffic hijacking, your attacker first gains access to your credentials, uses it to understand the online activities that happen in your domain, and then uses the information to mislead your users or domain visitors to malicious sites.
- Insecure application program interfaces (APIs): Sometimes, Cloud APIs, when opened up to third parties, can be a huge security threat. If the API keys are not properly secured, it can serve as an entry point for cybercriminals and malicious elements.
- Poor choice of Cloud storage providers: A security lapse from the Cloud storage provider’s end is a huge security concern for businesses. It is very important to choose a trusted and experienced Cloud service provider who knows what they are doing.
Cloud Security Mechanisms
As part of a layered approach to cloud security, there are several mechanisms that can be implemented to counter potential threats. These include:
- Cloud firewalls: Much like the firewalls you deploy for your local IT network, Cloud firewalls work to prevent unauthorized Cloud network access.
- Penetration testing: Penetration testing is a sort of a Cloud security check where IT experts try hacking into the Cloud network to figure out if there are any security lapses or vulnerabilities that could serve cybercriminals.
- Obfuscation: In obfuscation, the data or program code is obscured on purpose such that the system delivers unclear code to anyone other than the original programmer, thus mitigating any malicious activity.
- Tokenization: Tokenization is the process of replacing sensitive data with unique identification symbols that retain all the essential information about the data without compromising its security.
- Virtual Private Networks (VPN): Another, more commonly used mechanism is the VPN. VPN creates a safe passage for data over the Cloud through end-to-end encryption methodology.
Investing in a good cloud security system is a must, especially when it comes to protecting private consumer data. Complete cloud security is a blend of all these multiple digital security layers plus internal policies, best practices, and regulations related to IT security.
Ready to implement the right cloud security solution for your organization with Wahaya IT Consulting? Click here to contact us!
Managing risk: Keeping IT up and running
So why are we addressing risk management? Because every firm needs to make plans if something bad happens. It could be a fire, flood, hurricane, extensive power or broadband outage, even an act of terror, but any of these events could affect your IT infrastructure or capacity to connect to it. And many smaller firms fail to recognize how reliant they are on their IT infrastructure. Here are two tools that can help keep your IT infrastructure operational in the event of a disaster.
VoIP– This is an interesting option. You may have the standard PBX system that handles switching calls that are directed within your physical organization, and it may even allow call forwarding, but that is all it usually permits. VoIP systems allow dramatically aggressive approaches to call forwarding, including time windows. This makes it easier to maintain voice connections even if access to a physical site has been blocked. VoIP also offers many innovative features such as voice-to-text and voice-to-email that can increase productivity.
Uninterruptible power supplies (UPS) and surge protection – Don’t forget the obvious. Risk management means looking at one of the key risks any business faces: power interruption. What would you do if a long term power event occurred? Could you just tell your customers “oops-sorry?” That won’t likely work very well. There are uninterruptible power supply systems using battery support, natural gas and other fuels which can provide support for as long as is needed.
Contact a managed services provider to discuss inhouse UPS management.
Cybersecurity Training Best Practices for Employees
Cybersecurity services provide protection against hacking, viruses, and other threats to an organization’s data. While there are many outside threats, employees are usually the first targets of cyberattacks such as phishing, malware, and ransomware.
To avoid having data compromised by an internal member of an organization, employee training should be part of a company’s cybersecurity initiatives.
Employee training for cybersecurity is particularly important for companies dealing with sensitive information such as credit cards and HIPPA regulations. Small to medium businesses need to train employees to identify and respond correctly to cyberthreats before they become detrimental.
Here are some employee training best practices to include in your employee cybersecurity training program:
Create an IT Policy Handbook
A handbook of your IT policy should be shared with every employee in the organization – from the CEO to the interns. It should inform anyone with access to your systems on how to spot and report potential scams.
Wahaya IT Consulting creates a custom-tailored IT Policy handbook for all of our managed clients. In conjunction with our training platform, it can mitigate human security risks and identifies major cybersecurity risks to your industry. The handbook also meets compliance requirements for local data security laws by aligning with a “Reasonable Cybersecurity Program,” required by the state of Lousiana and most other states.
Phishing, fake software, and other cybersecurity scams are constantly evolving. Ensure your IT policy handbook is consistently updated to keep employees aware of new threats.
Add Cyber Security Training to Official Onboarding Initiatives
Cybersecurity should be incorporated as part of your onboarding program for all new employees.
You can also conduct refresher sessions to ensure your existing employees are up-to-date on the latest cyberthreats. At the end of the training session, conduct tests, mock drills, and certification exams.
Good training includes assessments and follow-ups. Wahaya IT Consulting provides necessary training needed for most compliance requirements, including weekly video micro trainings, and monthly newsletters, all integrated with dark web monitoring. Consistent and positive experiences with training will ensure your employees take cybersecurity seriously.
Day Zero Cybersecurity Threat Alerts
As previously mentioned, the cybercrime landscape is constantly evolving. Every day, cybercriminals are finding new vulnerabilities to exploit, and new methods to steal your data or to hack into your system. Day zero alerts are a great way to keep your employees updated.
For example, if a new security threat is discovered, an email should be sent that clearly defines the threat and what can be done to mitigate it. Afterward, follow up to verify employees took the necessary steps.
Transparency for Employees and Organizations
Considering the serious ramifications brought on by cybercrime attacks, organizations need to strengthen their first line of defense against cybercriminals–their own employees. Let your employees know what to look for and who to report to the event of any IT related challenges.
Reduce your risk of an employee falling victim to cybersecurity attacks and risking your organization’s data with a custom cybersecurity and training plan from Wahaya IT Consulting.
Looking for an IT company that offers network support in Baton Rouge? Wahaya IT Consulting offers exceptional end user support and services to businesses. From desktop application to network support, we cover it all. We have top notch technicians and a great team to support your company. You’ll find our service offerings very affordable. We enjoy helping companies of any size with their computing needs.
Need special Office 365 help? Rather, do you need to develop an Office 365 plan that stays in your budget, while still giving you the best configuration and also most important features such as security?
Backed by technology experts, we help companies gain the full benefits of existing systems. Maybe you need to make strategic investments based on budget. Certainly you need to implement solutions that are secure, dynamic, and reliable.
Managing Risks: Small firms need to wake up
You may not think too much about serious disasters. Most of us focus on the day-to-day chores of running our businesses and keeping revenues up. However, there are long term planning concerns that many firms just avoid. Those concerns are managing the risk to your business if something very bad happens. This long-term planning is called risk management and it is the dullest topic ever—until something bad happens.
Business school academics have varying definitions of risk and risk management, but for our purposes the concepts are fairly simple. Risk is the negative uncertainty that comes from any potential loss. Risk management is the collection of activities a business undertakes to mitigate, avoid, and transfer the losses that might damage the business due to some negative event.Risk management, now frequently referred to as Enterprise Risk Management, has been an area of business focus for decades. Businesses have long recognised that they need to look at the financial risks they might face if something happened to their physical assets or were confronted with major litigation. However, in the past few decades, there has been a stronger and broader focus on the entire spectrum of risks that confront a business which has begun to push the issue to the C-suite level. Unfortunately, while large businesses devote serious resources at the the highest level to managing risk to protect their organization, smaller firms often spend little or no time considering risk as an important business issue. Even smaller firms who do take the time to think about protecting against operational threats may be unlikely to consider threats that are a degree or two of separation away from their core business. That means that technology infrastructure may be ignored if, and when, business continuity and disaster recovery plans are being considered.
Background: Why is risk management gaining greater visibility? As noted, risk management isn’t new. However, the last few decades have seen the United States face two major catastrophic events: Hurricane Katrina in 2006 and the terror attacks in 2001. Both brought to the fore the consequences to businesses who are unprepared, as well as the reality that very bad things can happen.
Globalization has also shown that distance does not shield us from the consequences of far away events. The earthquake and subsequent tsunami that hit Japan in 2011 reminded manufacturers and businesses in the United States about the consequences of their reliance on long supply chains and just-in-time inventory.
Another new threat that has alerted even the smallest firms to their vulnerability is technological. For a small firm, a major man-made or natural disaster may seem too distant to distract management from day-to-day operations, but the emergence of cyber threats, ransomware, hacking and data theft has really hit home for every organization out there. Even smaller firms totally focussed on making it day-to-day are taking notice of this threat. Have you really given thought to how you would handle a disaster?
BYOD: Placing Limits
In our recent blog, we talked about the data security concerns that BYOD can bring to your workplace. There is another factor that needs to be considered before adopting BYOD. How much Bring Your Own can your IT department support? Supporting too many different operating systems, hardware models and software versions can be a real drain on the resources of your IT staff. Supporting BYOD can become very expensive.
You will need to consider placing limits on the BYO part of the issue. There are a wide array of possible devices out there. Supporting all of them would be overwhelming. Users don’t just BYOD, they bring their own Operating System and their own software applications and all of those applications’ multiple versions. Trying to support and control an almost limitless list of entry points into your data is both unwise and impossible. IT will need to place limits on which devices and operating systems it will support.
Another point to consider is how much the company will rely on the individual user to install and upgrade company-required applications? Will IT be responsible for those duties? By placing the burden on IT, you ensure all the proper versions are being used, but you increase the labor requirement, which may become impractical.
In summary, there are a lot of issues regarding BYOD that create concerns. BYOD policies have a lot of moving parts which makes supporting them a difficult task. Make sure you are recognizing all the areas that will require IT support.
Multi-factor Authentication Demystified
You have probably come across the term multi-factor authentication of late. It is an IT buzzword today and is fast becoming one of the best practices of cybersecurity. So, what is multi-factor authentication, exactly? Read this blog to find out.
Multi-factor authentication, as fancy as the term sounds, is just multiple barriers to data access which adds to the security component. In simple terms, imagine, your data in a box and that box fit into another, and then into another–all with locks. It is basically adding layers of security to your data. In fact, we are already experiencing multi-factor authentication on a regular basis. For example, when you want to make a transaction online using your banking portal, chances are, it sends you an OTP (one-time-password) to your mobile number that’s registered with your bank. Some banking portals also ask you for the grid numbers on the back of your debit card, some online transactions using credit cards ask for CVV or expiry dates.
Even Gmail, Facebook, and LinkedIn use multi-factor authentication when they see unusual activity in your accounts such as a first-time log-in from a device you haven’t used before, or a log-in at a time that you don’t usually access your Gmail, Facebook or LinkedIn accounts. Going beyond OTPs, Facebook takes multi-factor authentication a notch higher by asking you to identify a couple of your friends on Facebook or your most recent profile picture.
According to Wikipedia, Multi-factor authentication (MFA) is an authentication method in which a computer user is granted access only after successfully presenting two or more pieces of evidence (or factors) to an authentication mechanism: knowledge (something the user and only the user knows), possession (something the user and only the user has), and inherence (something the user and only the user is). In simpler terms, that means,
- As the first layer of security, we have passwords, answers to security questions, PIN numbers etc.,
- The second layer includes authentication methods such as OTPs, security tokens, access cards, etc.,
- The third, and final layer is something personal to the user. Examples include biometric validation such as an eye scan, fingerprint scan, voice commands or facial recognition.
So, you see, even something as simple as withdrawing money from an ATM has you going through the multi-factor authentication process. You need to key in your PIN number and use your debit card to be able to transact successfully. With cybercrime being rampant, businesses cannot rely on the old school access authorization methods using a single password or PIN. Contact us about setting up a strong, reliable, multi-factor authentication system for your data.