Why Your Business Needs A Professional Information Technology Team

You may run your small to midsized business with ad-hoc resources that support your IT infrastructure. What do I mean by IT infrastructure? You know your desktop computers, servers, internet connectivity, cloud infrastructure, all the technology ‘stuff’ that enables you to track inventory, bill for services, manufacture inventory, produce reports; all the things your business needs to operate. You may utilize an in-house resource for some IT things since they have perceived knowledge but it’s not their primary role. You also call on outside resources such as a local computer store, your Internet Service Provider, email hosting company, or others depending on the perceived issue.

You might think that you’re saving money by not having dedicated resources that can monitor, manage and secure your infrastructure but you are not. You might think that much of what an IT person or company would do is not necessary for your small or mid-sized company but again you are mistaken. Having provided services for over the last 22 years we have seen many companies make assumptions that they can get by until they find that their business is in jeopardy having suffered a data breach, data losses, system outages or other problems that now threaten the company and perhaps its viability.

What do outages and slowdowns cost your business over the course of a year? If you or your employees cannot work for an hour or two, or you can’t track orders or inventory, or if you can’t appropriately communicate with your customers for the day, or run a production line for an extended period what is the cost? What if your server gets compromised and begins emailing all your clients malware? In all these cases there is not only a quantifiable cost in dollars but perhaps also in loss of reputation. I don’t know about you but if I can’t count on the companies that I interface with I go elsewhere for the products or services I need.

At Network Management Solutions we have seen in many instances where companies cannot operate for days or beyond. Improper software or hardware setup can not only cause performance issues such as slow response but also lead to data breaches. Malicious phishing attacks are emailed on an ongoing basis, without proper setup an employee’s mistake of clinking on a link may lead to malware, compromised passwords and systems. Perhaps the real value of the IT infrastructure and the business reliance on it were not scrutinized until the small problems became momentous.  

So what  can a service provider do for you and your company? While no one can guarantee that IT problems will never occur, a professional services organization like Network Management Solutions can ensure that problems are reduced to a minimum and the effects of any outages are quickly recognized and mitigated.

A proper Managed Service Provider (MSP) will make certain that your infrastructure is appropriately designed to meet the business information needs, focusing on reliability, information security, and performance. This may include ensuring desktop computers are maintained, servers are updated, security patches are applied, outages are addressed in real time, and the overall health of the infrastructure is monitored to prevent and mitigate potential outages. Additionally, an MSP will identify design flaws and recommend measures that will improve service levels, security, and data retention. You can’t get these services from a full time employee acting as a part time IT resource, or a part time IT firm of 2 people that may be assisting other customers and cannot address your business needs for days.

If you are interested in protecting your business, its information assets, and the systems that help it operate while maintaining a fiscally sound approach we would like to speak with you. Network Management Solutions can be reached at 908-232-0100.  Please contact us for a free, confidential discussion to learn more about how we can assist your organization.

What Applications Are Running In Your Network?

Do you know the answer?  While perhaps your company is well equipped and can answer the question, many small to mid-sized companies cannot. If you find that you are among the firms that cannot answer the question you should take an interest in knowing.

Why you ask?  Here are five important reasons:

  1. Financial – Computing and network resources are costly. Resources that are utilized for non-business purposes consume precious resources and cost the company money. Some personal communications may be acceptable but there are limits that certain individuals might take advantage of.
  2. Security – Unauthorized or rouge applications may impact information security. When properly utilized as part of an overall strategy, applications such as Dropbox or Google Drive may be great for your business. However they may also provide a platform for lost data, data leakage, or theft if being utilized without company knowledge or appropriate safeguards. The problem may be further compounded when an employee has resigned and maintains the information stored on Internet devices.
  3. Productivity – It may be within the boundaries of your business policies to allow employees to use Facebook, Twitter, personal email, and surf the web within certain timeframes. Without being able to measure usage you may have undesired activity that negatively impacts productivity, is detrimental to the business culture, and or potentially creates a hostile work environment
  4. Piracy – Software piracy not only affects the developer but also the company that installs the software. An IDC study found that 37 percent of midsized companies that participated in software audits had pirated software within their environment. While there are obvious impacts to the developer with lost revenue and potential dissatisfaction of those using pirated software, many times pirated software contains vulnerabilities including viruses, worms and Trojans. Employee devices containing pirated software that are used within the business environment can contribute to compromise of  the company network.
  5. Reputation – With all of the online media your business reputation can suffer serious harm. Social media can help spread news around the globe in a matter of moments. With companies searching online for the products or services your company offers having bad things show up in search engines can directly impact your bottom line. News of a breach, low employee morale, or piracy can seriously damage the business reputation.

Engaging a consulting company that can perform regular audits of your business infrastructure or managed service providers that can monitor activity in real-time can be a cost effective solution to the problem.

Network Management Solutions has been providing pragmatic solutions for business since 1996. For more information please contact us.

Social Engineering An Ongoing Security Threat

There have been numerous high profile data breaches including companies such as Home Depot, Dairy Queen, Lowes, Goodwill Industries and Jimmy Johns.  The commonality between these organizations is that they were all Point of Sale (PoS) breaches.  Malware was planted within the PoS syststem that enabled credit card data to be stolen from unknowing customers at checkout.

While state laws mandate disclosure of certain breaches, the manner in which a breach occurs is generally not part of the disclosure. The most recent round of PoS breaches have been blamed on 3rd party vendors that supply the PoS hardware and software with speculation that all began due to a compromise of login credentials.

Unfortunately most breaches go on for months with the compromised organization being notified by law enforcement and not their internal security or IT staff. In the case of the Backoff malware used to compromise PoS systems the virus was detected in October 2013 however antivirus products did not identify it until August 2014. The United States Secret Service currently estimates that over 1,000 US businesses are affected.

One frequent way in which these types of compromises commence and login credentials are compromised is through social engineering.  While there are ways to reduce the impact of lost or compromised credentials we want to focus on the threat imposed by social engineering.

Social engineering is the art of manipulating individuals to divulge confidential information such as passwords, account information, or to allow the attacker to gain control over their computer. The goal of the fraudster is to secure a foothold into the target organization before the target has had an opportunity to think. An adept social engineer relies on an individual’s innate trust in order to garner the information they are after.  Depending on the organization, it is generally easier to socially engineer a foothold then to exploit technical vulnerabilities.

Social exploits can come in the form of an email, text message, phone call or otherwise. Messages may have malicious content sent as attachments that contain malware.  In other cases the target might click on a embedded link in a message that downloads malware or requests confidential information such as network login credentials, banking information or personal and private information such as DOB, SSN, etc.  Common scenarios often used to bait targets includes being told they have won something, their computer needs repair, a friend is in need, or a charity is looking for support.

During this year’s Social Engineering Capture the Flag (SECTF) competition at DEF CON 22, nine teams placed cold calls into a variety of large retailers including Home Depot, CVS, Costco, Lowe’s, Macy’s, RiteAid, Staples, Walgreens, and Walmart to glean confidential information.  According to an article covering the event none of the retailers did well enough to pass.

Prior to the competition each team scoured public records from open source information databases to assist each team to understand the target company better and devise its approach. One team discovered that a retailer’s public website contained a portal to its corporate intranet. This portal connection provided access to the internal network without employee credentials. In addition the website itself contained an online instructional document on how to access the intranet with a sample login username and password that was functional. Once the team discovered this information they went no further. Unknowing the company had created a major vulnerability that left the door open for hackers to further exploit their internal systems.

Does your IT department have the ability to recognize serious architectural flaws which could lead to hacking? Are third party resources engaged to review your security posture on an ongoing basis? How well does your company prepare its employees to recognize potential social engineering attacks? Are employees prepared to resist the temptation to click on links when a prize has been offered or a fraudulent email advises that their login credentials need to be updated, or question a caller posing as an IT worker, BEFORE acting? It only takes one employee to slip for the organization to fall prey to a social engineering attack that could result in a serious breach. Training must be provided on an ongoing basis if the organization is to withstand a targeted attack.

Network Management Solutions has been assisting organizations to build, monitor and protect their information assets since 1996. Please contact us for further information and assistance.

Security Risks Imposed By The Use Of USB Drives

Portable flash drives also called thumb drives, USB drives or memory sticks have become commonplace.  They offer high capacity data storage and portability of information between computers easily plugging into USB or FireWire ports.   Flash drives have become novelty giveaways at trade shows containing marketing material or other information the presenter wishes to convey.  USB drives offer convenience but they don’t come without some potential security risks to your business .

So you now can carry around terabytes of data in your pocket, that’s great but it also means you can easily misplace the data stored on the device.  Considering your line of business and what you or your or your employees might store on the drive you may have regulatory issues to address.

While covered entities (organizations that maintain regulated information) need to report lost or stolen computers containing personal and private information such as social security numbers or healthcare information, or other sources of data leakage, the same holds true for portable data storage devices.  Not only do these requirements apply to your business they also apply to any business partner you might engage to work with protected information on your behalf.

Earlier this year a small Massachusetts physician practice was fined $150,000 after the theft of an unencrypted USB flash drive containing the medical records of 2200 patients from an employee vehicle.  The fine was levied principally due to the failure of the organization to have conducted a risk assessment in using flash drives and putting in place proper data handling and notification procedures.

Hackers write custom viruses that target USB drives as the threat is easily ported between computers by simply plugging the device into its USB port.  Making certain that anti-virus software is up to date and that flash drives are scanned when plugged into a computer is essential to blocking such threats.  Some organizations go so far as to turn off the USB ports on their computers to stop viruses from being imported via employee USB memory sticks.

So what should an organization do to protect itself?  Here are some recommendations:

  • Consider if USB or other portable drives should be utilized within the business.
  • If so, is this a necessity or more of a convenience and are there other ways to produce the same outcome?
  • Consider what data is permissible to be stored on flash drives and who within the organization may do so.
  • Develop policies and procedures that cover acceptable use, storage, handling and notification procedures should a drive come up missing.  Share these documents within the organization and hold your employees responsible for following them.
  • Encrypt sensitive data stored to memory sticks.  The best encryption is hardware based and not all memory sticks are the same.  You can get more information here on the best devices.
  • Password protect thumb drives and consider using tamper proof devices that can overwrite the contents if a maximum number of password attempts is reached or the device case is tampered with.
  • Maintain all computer based antivirus software and scan all thumb drives as they are inserted into computers.
  • If you must use USB drives store them in a safe place where they will not be lost or stolen.
  • Do not allow personal USB drives, or company data to be stored or accessed on personal use machines.  If your employees work from home provide a business computer that is secured and maintained by the business.

Network Management Solutions has been providing pragmatic solutions for business since 1996.  For more information please contact us.

Securing Your Desktop Computers

Perhaps you were aware that support for your business computers using the Windows XP operating system was being discontinued as of April 8, 2014, maybe not.   Were you able to compile an inventory of the Windows XP machines in use at your business or in virtual home offices of your employees and upgrade them?  Why as a business owner, office manager, or IT support person should you care and be motivated to come up with a plan if you have yet to?

Your business is vulnerable.  According to global security solutions provider Symantec, over 30% of targeted spear phishing attacks during 2013 were aimed at companies with less than 250 employees.  End of life support by Microsoft for the Windows XP operating system eliminates critical support updates that help ensure the security and reliability of the operating system as well as on-line technical information updates that help techies resolve issues when PCs have problems.  If you think that your virus software will protect your XP computers, you are mistaken.

Cyber criminals target organizations to steal and or store stolen information.  Small businesses are targets since stealth attacks or the storage of stolen information can persist for long periods of time without detection.  Targeted attacks result in malware being planted within an unsuspecting company that then provides hackers access to the target company’s computers.

As a business, you may have both legal and regulatory compliance issues, if you process credit cards and or store personal and private information such as social security numbers, driver’s license numbers, bank and credit/debit card numbers, healthcare records, etc.  Even if you don’t have such information, the loss or compromise of your company intellectual property and bank accounts, client data, and other sensitive information can lead to significant reputational harm, financial losses, and legal problems.

In an article published earlier this year titled “Why Your Small Business Is at Risk of a Hack Attack” Entrepreneur provides an overview of what is happening with the world of cyber crime.  This is a quick worthwhile read if you want to learn more of how and why your business may be a target.

Network Management Solutions has been helping companies address business driven technology issues since 1996.  We are currently serving a variety of customers within New Jersey, New York, and the surrounding metro areas of New York and Philadelphia.

You may contact NMS to schedule a free one-hour no obligation consultation to discuss your concerns.  We will provide expert advice in simple business terms on how to best address your issues through NMS or another provider.  NMS can be reached by phone or email at 908-232-0100 or info@nmscorp.com.  More information on Network Management Solutions can be found at www.nmscorp.com.

 

Proactive Security Management of Information Technology Assets

The management of security updates, critical server patches, anti-virus software and backup management are critical tasks in the proactive security management of information technology assets.

Unless your organization is proactively managing these critical elements the security of your information is at risk. Server and desktop management must be supported by structured operational plans.  Weekly server updates to patch OS deficiencies, security vulnerabilities or otherwise performance or availability related, need to be applied.  Additionally application updates also need to be applied on a regular basis to ensure the best application performance, availability, and security.    These same actions need to also be administered at the desktop as many security exploits are launched against desktops so proper patch management is critical.

While anti-virus and regular updates are a must some custom viruses operate outside of addressable memory and many go undetected.  It is therefore critical that comprehensive security suites be utilized that identify anomalous network or application activity which may have been a result of defeated anti-virus software.

Another critical activity to mange the security of information is a comprehensive backup management program.  This not only includes a  full and incremental backups but ongoing tape rotation to secure facilities and regular testing to restore data from backup media.  Testing restore capabilities to ensure viable backups will pay many dividends when lost data needs to be recovered.

While information security programs go far beyond these simple practices outlined pragmatic management of security updates, patches, data backup and restore capabilities are a critical component to ensure the security of your data.