Tag: ransomware

Posted on

Cybersecurity and Small Business

Small businesses face many challenges as they grow and expand, and chief among them is the growing threat of cyber-attack. As the company grows, its value to cybercriminals grows, too. Implementing comprehensive cybersecurity measures is essential to maintaining customer trust and safeguarding important business data against these threats.

There is a belief among small business owners that their operations are too small or insignificant to be attractive targets for cybercriminals. Cybercriminals, on the other hand, more often view small businesses as easy targets. Why is this? Largely because the bad guys know that the smaller companies aren’t spending on cybersecurity services and tools and aren’t always keeping their workers informed about ways they can participate in keeping things safe.

To help protect the business from cybersecurity threats, it is crucial to invest in some key security measures. Longer and more complex passwords, regular software patching and updating, and periodic training for employees on how to identify phishing attempts and what to do with suspicious emails is a good start. Cybersecurity efforts should scale with the business, and this requires strategic planning that is aligned with the goals and objectives of the business.

The best cybersecurity approaches are built on a secure foundation, and this is what helps to support business growth and expansion. For every business, there are four cornerstones of a solid cybersecurity foundation.

  • Identifying potential cyber threats and understanding the business risk they represent.
  • Enforcing strong password protection and role-based access controls.
  • Following best practices in cybersecurity.
  • Managing documentation and vital business information securely.

Cybercriminals know that smaller businesses generally have limited cybersecurity resources, making small businesses prime targets for phishing and malware. What is the potential impact of falling for a phishing email, or what happens if there is a ransomware attack? Each type of threat carries different levels of risk, and growing businesses should be aware of the potential financial, legal and reputational impacts when evaluating their approach.

Businesses can help their users become part of the cybersecurity plan by regularly training them on phishing methods and ways to avoid ransomware or malware. When users know more about emerging threats and how to recognize and report suspicious things, they become valuable assets in the improvement of cybersecurity of the business.

The first line of defense in cybersecurity is the username/password challenge. Many systems today use an email address as the username or user ID, which means it really isn’t much of a challenge to guess. This leaves it to the password to keep the account secure, so a strong and unique password is necessary.

Making another challenge to the authentication adds another layer of protection to the account. Referred to as 2FA or MFA (two-factor authentication or multi-factor authentication), users may be required to respond to an in-app message, provide a code received via SMS or other, or provide a code from an authenticating application to satisfy the login requirements. This additional challenge to the user identity makes it harder for cybercriminals to gain unauthorized access.

Ensuring the protection of sensitive business information requires controlling what users have access to once they are in the system. If someone were to gain unauthorized access, having appropriate role-based access controls in place would limit their ability to get sensitive data. This is often another area of vulnerability for smaller businesses that don’t implement strict document controls or structures, opting instead for an open self-service model that leaves data available to whomever can get logged in.

With businesses changing frequently, it is important to not just create a framework to limit user access, but to keep user and role-based access reviewed and updated regularly. Software and systems also need to be updated regularly. Known software vulnerabilities should be patched and security updates installed on devices, and policies enforcing updates and antivirus/malware detection should be implemented.

We understand that businesses must enhance their cybersecurity strategies to combat the growing number and type of cyber threats, and it can be challenging just figuring out what to do first. Working with a variety of technologies and specialists, we can help secure your digital environment and keep you better-protected from the bad guys.

jm bunny feetMake Sense?

J

Posted on

Business Data Loss is a Growing Problem

The portable computer was the secret business weapon of yesterday and is today’s essential business tool. The processing power, portability, storage, and connectivity available with laptops, tablets and smartphones has created a seamless extension to the office. Business users can work with their applications and data from just about anywhere. While mobile devices are valuable when it comes to conducting business, they also pose additional security risks. Increased efficiency, mobility, and accessibility can also mean an increased potential for a data breach or business data loss.

The workforce of today is mobile enabled. Business users, owners and managers, accounting advisors and business consultants can access all the information and analytical capability they need to perform their jobs and make informed business decisions, capturing and collecting important information while keeping productivity at the highest levels no matter where they are.

“87% of businesses rely on their employees to use their personal mobile devices to access company apps”, according to a post by Perillon. Some studies have estimated that as much as 80% of the data a company has (like customer files, contracts, financial data, product specifications) might be stored on portable devices. This means that mobility comes with risk, which is why Mendelson Consulting and Noobeh cloud services utilize cloud-based platforms and services to keep data safe and secure.

According to business data loss statistics compiled by Businessdit.com, the two most common causes of data loss are hardware failure (40%) and human error (29%). Overall, malware causes 35% of all data loss, taking advantage of the 21% of files that businesses are not protecting at all.

The stats show that it takes approximately 206 days on average to even detect a data breach, the costs of downtime and losses average around $1,410 per minute for small businesses, and 22% of SMBs close after a ransomware attack.

Data loss or theft can create big business and legal problems, too. Customer or client privacy may be compromised, sensitive information may be exposed, and confidential plans may be made public if a business doesn’t take steps to secure mobile data.

“The average cost of a data breach in 2021 was $4.24 million. That’s a huge increase from the $3.86 million cost in 2020. And it’s only going to get more expensive in the future. Companies need to be prepared to deal with the fallout from a data breach, which can include everything from legal costs to damage to their reputation.”

Businessdit.com

There’s an old saying that there are only two types of businesses: those who have lost their data and those who will. Imagine the potential chaos, risk exposure, reputation damage and the expense of losing your valuable business data or having it exposed to unauthorized parties.

While computing mobility delivers a host of advantages to the business and the user, care must be taken to ensure security, privacy, and confidentiality of the business information and protecting against business data loss.

Increased exposure to liability is a reality for any mobile business, and the risk is only multiplied by the number of systems a company has in the field. Smart businesses reduce risk by deploying secure yet versatile platforms for their workers that allow data to be stored and protected in centralized environments rather than on individual computing devices.

Via the cloud, businesses of all kinds are reaping the benefits of new and innovative service delivery, achieving the freedom and functionality a mobile working model demands. Mendelson Consulting and Noobeh cloud services have the cloud solutions and managed IT services that provide the mobile capability businesses need, but with the additional protection, additional security, and ongoing management that the value of the data demands.

jm bunny feetMake sense?

J

Posted on

Compliance in the Cloud – Their System; Your Responsibility

Can you outsource compliance to the cloud?

Outsourcing IT to a cloud service provider can be tremendously beneficial for a business.  The model allows an organization to offload not just IT infrastructure costs, but also the costs associated with developing and maintaining all of the practices and processes involved in managing and maintaining the infrastructure and systems.   There is tremendous responsibility in handling everything from platforms and infrastructure to creating best practices for maintenance, management of scalability and growth, forecasting bandwidth requirements, implementing and monitoring security compliance, creating effective and comprehensive disaster recovery plans, and more.

The question which begs to be asked is whether or not HIPAA, PCI/DSS or any other compliance requirements, and the complexities, risk and legalities that come along with them, can also be outsourced to the CSP. For that matter, can any real level of responsibility be fully outsourced, where the liability for non-performance or noncompliance is also fully shifted?

Ummm. No. It is still your problem.

What too many companies really don’t understand is that they aren’t eliminating risk by moving to the cloud, and the requirement to meet various compliance requirements really can’t be outsourced. Particularly in this area, businesses need to recognize that outsourcing certain functions doesn’t reduce or eliminate responsibility or liability.  Just the converse, it could make things a bit more difficult if you don’t keep close tabs on how the provider implements and is involved with your solution. Even beyond that, what is the impact to the business operation when requirements are not met?  Cost recovery from the provider may be one option, but how does that help the business remain operating in the meantime?

Gramm-Leach-Bliley (GLB) Act  Requires financial organizations to enter into contracts with third parties that they share their customer information with (including cloud vendors) to ensure that the third-party handles that information securely. Executives of those financial organizations can be held personally liable for failure to do so.

Sarbanes-Oxley Act (SOX)  Defines specific security mandates and requirements for financial reporting to protect shareholders and the public from accounting errors and fraudulent practices. SOX dictates which records are to be stored and for how long and requires the data owner to know the location of the data in the cloud and to maintain control of it. Failure to comply can result in fines and/or imprisonment.”

source: CIO.com

This discussion Isn’t limited just to compliance with regulations (at least it shouldn’t be)

In this conversation we need to also address what a business should do in terms of protecting and preserving its information assets (data!) even beyond what the CSP offers. Keeping confidential and private information secure and protecting the data of the business (and clients or patients or other entities) is essential, even when the CSP fails in its obligations or abilities.  This aspect of disaster recovery and continuity planning is not often considered by the CSP yet remains critical to the business customer. The sales pitch, however, never really delves into this area, because it represents an aspect of service coverage that the provider simply can’t provide.

Illustrating this particularly difficult aspect of outsourcing to the cloud is the hard lesson learned by customers of a QuickBooks hosting provider who experienced a severe outage due to a ransomware attack. The hosting service provider promised customers it backed up their data and it did, but the backup archives were also compromised.  In order to restore service, customers were expected to have their own backups of the cloud-hosted data.

While there may have been items in the service agreement which address these issues, I can say – based on a great deal of experience in just this area – the service providers rarely make this point very clear to customers, and more frequently tell customers backing up their data is no longer something they need to really worry about. It’s like that really tiny type at the bottom of a contract that nobody notices until it is too late.

“..restoration proved more difficult in Texas. Lezama explained that for the Texas clients, the backups had been compromised as well, because their backup data had synchronized with corrupt files. But Cloudnine clients are obligated backup their own data as well, as a sort of third-level security measure..”

source: AccountingToday

With compliance in the cloud, it’s their system, but your responsibility.

Outsourcing IT to a cloud service provider in no way eliminates or reduces the obligations of the business to manage certain aspects of information systems and data.  What outsourcing can do is deliver a greater operational capacity and agility more affordably.

The responsibilities to establish information and systems management practices and processes remain firmly with the business, and actually represent a strategic component of the business that is unwise to outsource anyway. Resilience in a business and its ability to conform to regulatory and other requirements are the foundations of sustainability. Remember that cloud providers and services can be leveraged to improve certain cost and system performance metrics, but it remains solely with the business customer to find ways to reduce risk and create a greater assurance of continued operational capability.

Make Sense?

J