BEI Blog

We wish IT security was as simple as setting up a good firewall and installing an antivirus. We talk a lot about security solutions that cover a lot of your bases, such as our Unified Threat Management (UTM) system. While these enterprise-level solutions are important, any investment in protecting your network can be upended by a single act of user error.

You see, the bad guys are clever, and they wouldn’t be building malware and stealing data if it wasn’t lucrative, and the successful hackers are very good at beating the system. A huge trend that has been growing for years involve hackers doing more than just infecting computers the old-fashioned way; today they are targeting people using tactics like social engineering and offline infiltration. They know that they can get access to your network by asking the right user the right questions over the phone or via email. They know how to get just enough information to sound somewhat legitimate, too.

Get Everyone on Board
It’s up to you to establish a IT security mindset with your employees. It starts with management and needs to trickle down across the entire organization. Getting other C-levels closely looped in, and then office managers and even HR is a good way to make sure everything is being taken seriously.

Show That Security Isn’t Meant to Be a Burden
If you fire off new processes like two-factor authentication or push policies to employees phones without rallying them first, you’ll likely get moans, groans, and pushback. It will feel like you are making their jobs harder, when in reality you are actually protecting them and the organization. Instead, it’s a good idea to teach your people WHY security matters to them. Good employees want what’s best for the company and will see value in protecting the company if they understand that these new security processes aren’t designed to be roadblocks.

Have Regular IT Security Check-Ins
Whether you put together a weekly email or hold a monthly meeting, stick to it. If you make security enough of a priority that you don’t postpone a piece of your plan, your staff will feel the importance of it. Plus, this allows you to take smaller steps that ensure good habits are being put in place.

Reinforce Diplomatically
Until IT security mindfulness is achieved, the responsibility is on you to make sure your staff understands the new processes and procedures. This may include thoroughly documenting your security best practices, including it in the employee handbook, creating training videos, and hanging posters. Plus, as security threats and compliances evolve over time, so won’t some of your processes. As things change, you’ll need to update your materials.

After most of your staff seems to “get it,” you can establish the repercussions for failing to comply with company rules. Remember that most practices can be easily remediated - depending on the severity of the issue, a first-time offender probably doesn’t need to lose their job. That said, treating repeat offenses and blatant disregard for IT security should be dealt with swiftly and corrected. One weak link can do harm to the entire chain.

Encourage Issue Reporting and Support Requests
One of the biggest tools you can equip your people with is the ability to put in support requests and report on anything suspicious. If they don’t feel comfortable and encouraged to put in support requests, they might not raise their hand when something really serious is happening. This can be caused from either not wanting to bother management with something that seems unimportant, or from having a fear that they will get in trouble for potentially causing an issue. It’s critical that you establish a clear value to reporting issues and mistakes that happen.

That’s where BEI comes in. We can not only help you establish the infrastructure to protect your business, but we can help enforce, audit, and support your organization. We can act as your in-house IT department and field employee support questions. Let us help you protect your business from the ever-increasing number of online and offline threats. Give us a call at (844) BIZ-EDGE today and have a chat with one of our IT security experts.

Ransomware exploded in 2017, and after a year with as much success as these attacks saw, it is no wonder that 2018 is expected to see more. However, in order to remain successful, ransomware will have to change and improve. In today’s blog, we explore a few predictions as to how this threat will do so.

Why Ransomware Matters

Internet-connected devices are only getting to be more popular, in both the business world and in the personal lives of users. There is a growing reliance on these devices in order to function, to the point that if a device were to be unavailable, many would find themselves in a very tough spot. This is particularly true of business users, as they often rely on the use of such devices in order to operate.

As a result, the threat of denying them access to these devices brings with it some very real consequences - and again, it doesn’t help that so much of our personal and professional lives are so reliant on these devices and the data these devices enable us to access.

Cybercriminals are more than aware of how important this data is to us all. This is precisely why ransomware has been leveraged to relative success, and why its use as an attack vector will continue.

What to Anticipate

Moving forward, we believe that the following trends will become apparent.

Certain Industries Will be Targeted More than Others
There are particular industries that have been favored by ransomware attacks, as they are particularly reliant on their data. The most prominent example of such an industry, and one that will most likely continue to be a target, is the healthcare industry. This makes sense, as this industry has a particularly urgent need of their files, plus there is a lot of sensitive information at play, a fact that cybercriminals are not above exploiting.

Specific Targeting Will Continue
While 2017 saw its share of mammoth ransomware attacks, the technology is much more frequently being used to power more, smaller attacks, than it is fewer, large-scale epidemics. The number of ransomware variants has exploded, some recording a 74 percent increase in a little over a year’s time. These campaigns are then used against prospective victims in the thousands, rather than the millions. 2018 will likely see more of the same.

Ransomware-as-a-Service Will be an Attractive Option
Ransomware-as-a-Service has proven to be very popular as it provides a win-win for the author and the person leveraging it. The person gets a ready-to-go ransomware attack, while the developer is paid for their efforts in developing the ransomware in question. It is likely that this method will continue to be a popular option moving forward.

What You Can Do to Prepare

Fortunately, preparing your business for the continuation of ransomware in 2018 can be as simple as picking up the phone and calling BEI at (844) BIZ-EDGE. Our experts can help you by applying the right solutions and instilling best practices among your employees. Call today.

The world is unfortunately familiar with the concept of terrorism, the use of fear and menace to intimidate those opposed to your views, beliefs, or goals. However, others may not be as familiar with the concept of cyberterrorism, beyond seeing it on television. For today’s blog, we’ll examine cyberterrorism to gain a better understanding of its methods, and how to protect yourself from it.

The Official View of the U.S. Federal Bureau of Investigation and Others
One accepted definition of cyberterrorism by the FBI was once put to words by (now retired) Special Agent for the FBI Mark Pollitt, one of the first members of the Computer Analysis Response Team. According to Pollitt, cyberterrorism is “... the premeditated, politically motivated attack against information, computer systems, computer programs, and data which result in violence against noncombatant targets by sub national groups or clandestine agents.”

There are many other definitions, but they all follow the same gist - the difference between cyberterrorism and run-of-the-mill cybercrime is based on the intent behind the attack. As a result, cyberterrorism is usually classified as such because it causes physical harm to a person or infrastructure to further a socio-political agenda.

How Cyberterrorism is Leveraged
Cyberterrorists, like other cybercriminals, have no shortage of attack vectors to get their way. There really isn’t any kind of attack that a cybercriminal could leverage that a cyberterrorist couldn’t also use as well.

This means that cyberterrorists will use many familiar tools to get their way, including ransomware, viruses and malware, denial-of-service attacks, and phishing. However, unlike the motivations of other, cash-focused cybercriminals, the cyberterrorist will have a different drive behind their actions.

Oftentimes, groups of cyberterrorists will actively disrupt websites, either to simply cause a nuisance online, or to sabotage those that disagree with their position. It is also a common goal for these groups to tamper with military technology and public infrastructure systems. This last motivation is particularly dangerous, as it could lead to a public health or safety crisis.

How to Protect Yourself
Fortunately, this is where the difference between a cyberterrorist and the typical cybercriminal becomes moot. After all, both use the same tools, they just have different motivations to use them. Therefore, your best defense against finding your business victimized is the same defense you would leverage against any cybercriminal - strong passwords, a secure network, and most importantly, a comprehensive appreciation of the importance of maintaining security standards throughout your business.

We can help you implement the solutions you need to keep your business safe against threats of all kinds. Call BEI at (844) BIZ-EDGE today.

Data security isn’t a matter to be taken lightly, as too many businesses have found out the hard way. Unfortunately, there are far too many simple ways to correct common security issues - enough that it’s foolish not to do so. We’ll review a few ways to fix security issues, after discussing one of, if not the, most egregious security failings in modern history.

The Equifax Problem
Sometime between May and July of 2017, the credit-reporting giant Equifax suffered a massive data breach that, as of this writing, exposed 148.1 million records containing the personally identifiable information of their customers. In other words, this breach exposed the data of almost half of the population of the United States of America.

In the aftermath of the Equifax data breach scandal, former CEO Richard Smith was cross-examined by Congress. Upon hearing Smith’s defense of “human and technology errors,” Chairman of the House energy and commerce committee Greg Walden quipped, “I don’t think that we can pass a law that fixes stupid.”

How to Fix Your Business’ Security
While Walden may be correct that stupid can’t be fixed by legislation, it may be able to be mitigated through the faithful enforcement of certain standards and practices. These standards should be enforced both on an organizational level, and on a case-by-case, personal basis.

First, let’s review what you should enforce in your organization:

1. Compliance should be the baseline - Unfortunately, compliance with regulations often does not equal true data security. Instead of looking at compliance as being the ultimate goal for your business, consider it the first step to your business security strategy.
2. Vulnerabilities need to be promptly remediated - It is astounding that so many exploits rely on known vulnerabilities… a full 99 percent of them. Furthermore, other attack vectors often utilize vulnerabilities that are a half a year old at least. Patching these vulnerabilities as soon as possible will help cut down on threats to your business’ data and infrastructure.
3. Data security needs to be centralized, organized, and assigned - While security should be a shared responsibility throughout the company, there needs to also be someone taking lead and accepting responsibility for ensuring that data is properly distributed in a secure fashion. Part of this responsibility should be to implement access controls, ensuring that the data only can spread to whomever it needs to and no one else.

Encouraging Your Employees’ Security
Of course, your employees are largely in control of how secure your company remains. This could be a bad thing, unless they are also held to certain best practices that keep data, and the accounts that can access it, secure. There are a few basic rules you can enforce among your staff to help encourage them to act securely.

1. Lazy credential habits - There are a variety of behaviors to adopt that can better protect the accounts and solutions that your employees have. First of all, the classic password problem: reusing the same password for every account. If one or more of your employees does this, each one is essentially creating a master key that someone could use to access everything in their life, including your data. Neglecting to set a passcode of some sort for a mobile device can cause the same issue. An effective way to remedy this kind of behavior is to utilize a password management system. That way, your employee can reduce the number of passwords they have to remember, without sacrificing security.
2. Oversharing - While you can’t necessarily control what your employees do in their off-hours, you should reinforce how easily a cybercriminal could piece together their passwords through some examination of their social media, especially if they subscribe to the lazy credential habits we just reviewed. See if they’ll avoid sharing personal anecdotes or information without first restricting the audience that can see that particular post. At the very least, they should have their social media accounts set so that only their approved friends can see their content. Furthermore, do your best to avoid oversharing from the office. Images can easily show confidential information if you aren’t careful, by accidentally capturing an invoice or your customer relationship management solution pulled up on a screen in the picture. Review what you are about to post before taking the image and before you share it online.
3. Using the wrong Wi-Fi - While public Wi-Fi connections may be convenient, you should remind your employees that this convenience comes at a price: the security of public Wi-Fi is suspect at best. They should be warned against doing anything especially important over a public Wi-Fi signal, like banking or checking their email.

Data security is a critically important consideration, in part because there are so many ways that it can be undermined. We have some solutions to offer that can help keep your business secure (despite what may sometimes seem to be your employees’ best efforts). Reach out to BEI at (844) BIZ-EDGE today!

Despite what detractors say, regulations are in place for good reason. They typically protect individuals from organizational malfeasance. Many of these regulations are actual laws passed by a governing body and cover the entire spectrum of the issue, not just the data involved. The ones that have data protection regulations written into them mostly deal with the handling and protection of sensitive information. For organizations that work in industries covered by these regulations there are very visible costs that go into compliance. Today, we look at the costs incurred by these organizations as a result of these regulations, and how to ascertain how they affect your business.

The Internet of Things has verifiably exploded in popularity in almost every conceivable fashion, as was more or less expected before 2018. What can we expect from the IoT in 2019? We’ve compiled a few predictions.

One of the best things about computers is that there is always a new way to make something easier: automation decreases a workload, their processors can calculate much faster than the human brain can, collaboration with coworkers becomes almost effortless, and your web browser can even remember your passwords! However, you have to ask yourself: is the ability to save your passwords in your browser really a great idea?