Is Your Tech Ready For Winter?

Standard

I have not been blogging much over the last two weeks due to a personal matter that has consumed my time.  I did however publish the following in yesterday’s Foster’s and Seacoast Sunday.  I hope to be back to regular blogging over the next week or so.

WinterTechWith the colder temperature, stronger winds and early snow, it’s all a good reminder that you should be prepared for winter weather events, especially as the snow flies.

Making sure you workforce is prepared for snow emergencies is one of the simplest things you can do. Even if you are still maintaining a traditional on-premise IT infrastructure, where your servers and all of your business applications reside within your office, it’s easier than ever to provide secure remote access for your team. When the snow is flying, or the roads are icy, people should be able to easily work from home and maintain near complete productivity. They key is how you have things setup.

With on-premise infrastructure, one of the most important elements, and surprisingly often overlooked elements, is power. Power outages are common during major snowstorms and even if you rarely lose power, you still need to be concerned about even the briefest interruption. The best option for this is a generator, but not every business can afford a generator. Next best is sufficient UPS, uninterruptible power supply, backups. These batteries will keep the infrastructure running and properly shut it down when the battery becomes low. UPS’s, properly configured, will also safely power systems back up when utility power is restored. WSecure remote access to all of these systems has really become the defacto standard. You may notice that more and more of the applications you use seem to run in a web browser. When you look at the address, the URL of the application, you will see https indicating the application runs securely over the Secure Sockets Layer protocol, encrypting all of the information exchange between your computer and the application, where ever it resides. Even if you are using a locally installed application that runs on your computer it’s likely using a secure protocol to connect.hile a good option, UPS’s with sufficient battery capacity are expensive, so you may only be able to keep things running for tens of minutes and not throughout an event.

This is where hybrid systems that leverage the Cloud are really the way to go. With critical business systems in the Cloud, coupled with an appropriate on-premise component, your business will be able to survive even the longest of outages, whatever the cause. Most businesses have already moved their email to the Cloud, so what tends to be the most critical communication component will keep working. Organizations that have installed Cloud hosted Voice over IP phone systems are also able to maintain their telephone services during outages like we are talking about. And when your most important business applications are also hosted in a Cloud data center, you will be able to work as if you were sitting at your desk, from wherever you may find yourself. This is the ideal scenario.

Secure remote access to all of these systems has really become the defacto standard. You may notice that more and more of the applications you use seem to run in a web browser. When you look at the address, the URL of the application, you will see https indicating the application runs securely over the Secure Sockets Layer protocol, encrypting all of the information exchange between your computer and the application, where ever it resides. Even if you are using a locally installed application that runs on your computer it’s likely using a secure protocol to connect.

Additionally, you may have a secure Virtual Private Network, or VPN, that you use. VPNs secure your internet traffic by encrypting everything, ensuring all traffic from your computer is secure. VPNs have become pretty standard fare and while they used to be a bit cumbersome to work with, that is not longer the case.

One other little thing to be aware of: As temperatures fall, battery life decreases. Batteries last longer in warmer temperatures, so especially when you are outdoors, be mindful that your smartphone battery may discharge a bit more quickly in the cold weather. Battery technology continues to improve, so it’s not nearly as problematic as it used to be, but be aware it may happen, especially as your batteries age.

Missing IT Nation

Standard

This week marks the annual IT Nation industry conference.  I have attended the annual IT Nation industry event for all but one time, the second year when I had a personal conflict and was unable to be there.  Back then, ConnectWise and their partner community were still small and Arnie Bellini, the CEO of ConnectWise sent me a box with all of the event content and give aways the week after, so I wouldn’t miss out on the learning opportunity.  This year will mark only the second time I have missed the event since it’s inception as the ConnectWise Partner Summit in the early 2000’s.

ConnectWise is one of the leading Professional Services Automation platforms in the IT industry.  It’s the CRM, MRP, Accounting, Procurement system and more for companies that provide IT services globally.

As this event has matured, from the ConnectWise Partner Summit to IT Nation to now IT Nation Connect this year.  From the event About page:


Connections, Opportunities & Know-How to Accelerate Your Success

IT NationIT Nation 2018 welcomes technology industry leaders and professionals from around the world to experience three impactful days of speakers, sessions, and networking focused on business best practices, thought leadership, and growth.


I will miss being there this year.  I always came back from this event with several actionable items to implement in our business to make us better and serve our clients better.  Events like this are important opportunities to not just hear from key vendors in the business, but to share best practices and learn from peers.  It’s also an opportunity to share some of our successes, to help others and to be known as a member of this business community.  Some of my closest confidants and friends in the industry were met at this event over the years.  We stay in touch throughout the year and look forward to seeing one another at one or two events like this throughout the year.

It’s not uncommon for my phone to ring several times a year and have it be a friend I met at IT Nation, checking in and catching up.

To all my industry friends, I will miss seeing you this week.  I hope you all have an amazing week at IT Nation.  And please, once you settle back in and process what you learned this week, give me a call and share.  I’d love to hear all about it and will gladly share what’s happening over here with me 🙂

Be Cyber Vigilant All Year Long

Standard

Usernam

The following was published in yesterday’s Foster’s and Seacoast Sunday.

If you are a regular reader on my articles, you know October was National Cybersecurity Awareness Month. I have written about this for several years now and include links to resources to help you remain secure online. Now that we are in November, the hope is that these issues do not fade from the forefront.

If you’d like to review the various resources available from National Cybersecurity Awareness Month, visit https://staysafeonline.org/ncsam and review the Resources link for a wealth of information, tips and more.

Especially with election season in full swing, everyone should have a heightened awareness of cyber threats. Hopefully, you are well aware you should be suspect of just about everything you see posted on social media, even from your “friends.” Unless your “friend” is someone you know extremely well, you should be suspect of anything they post, especially links to “news.” Take the time to verify what you read online, don’t just take it for granted. Sites that seem quite legitimate may be facades for radical groups or even foreign actors looking to influence our elections and social discourse.

It’s not at all difficult to validate sites and check news for credible sources and reporting. Organizations as diverse as NPR, AARP and many, many others offer several suggestions to help you validate the source of your news. I encourage you to invest a little extra effort to verify what you read as news and be sure you are making decisions based on credible, verifiable sources. It’s more important than ever.

Hopefully, you read and took heed of some of the key themes of this year’s National Cybersecurity Awareness Month. One of the most basic themes was Lock Down Your Login. This is so easy to do, yet the most often overlooked thing to do. Simple usernames and passwords are the most used method to hack into networks and steal data and identities. These credentials are just too easy to break through. You should not be using passwords that are easy for you to remember, as if it is, it’s likely a hacker will be able to guess it or use tools to brute force their way through it and compromise your account.

Passwords should be replaced with passphrases, a sentence or collection of words that are easy for you to recall, but not easily breached. I’ve written about this a lot over the years, both here in the paper and online in my blog at https://mjshoer.com. Use a combination of letters, numbers and symbols, replacing letters in the phase with numbers and symbols where it makes sense. You should also be using multi-factor authentication everywhere it is available. Your bank, personal and corporate email and just about every online site you log into should support multi-factor authentication. Use it. Newer computers running Microsoft Windows 10 support facial recognition to login, enable it. Almost every portable computer has a finger print reader, use that. Just do it, as the famous Nike advertising campaign says.

Finally, though nothing is ever final when it comes to matters of cybersecurity, stay ever vigilant of phishing email campaigns. Don’t click links or open attachments you are not 100 percent certain of. If you get shipping documents, invoices or other attachments you are not accustomed to, don’t open them until you call the sender and verify they actually sent it. Same for links within email messages. Hover over the link and verify that the link is going to a valid domain associated with the company that sent the email. This is one of the easiest ways to spot a phish. Same for the senders email address.

Check carefully to be sure the senders name is not misspelled, even by just one letter. Check the name and check the email address attached to the name. These are simple steps that you should familiarize yourself with and regularly practice to stay safe online.

Please Use a VPN on Public WiFi

Standard

I’m sure you’ve heard the term VPN, which stands for Virtual Private Network.  Most people are familiar with it in the context of connecting remotely to their work network.  For those that aren’t familiar with a VPN, here’s a word picture I often paint to describe what a VPN does.

VPNThink of a four lane highway as the public Internet.  All the cars traveling on this highway are equivalent to each person’s Internet traffic.  As one car passes another, you can look at or in the car and possible see some of what’s there.  This is akin to unencrypted traffic traveling across the Internet, it can be seen and watched by others.  This is why sending sensitive information across the Internet is not safe, as it may be seen by those it’s not intended for.  When you use a VPN, your Internet traffic is sent across an encrypted connection.  Think of an encrypted connection as being like those pictures you see in Car and Driver Magazine when they publish “spy” reports on the next model year of vehicles.  The vehicles are typically wrapped to conceal what they actually look like and the windows may be tinted so darkly that you can’t see inside.  This is like encrypted traffic on the Internet.  You know it’s there, but you can’t tell what it is.  When you establish a VPN, it’s even better.  It’s like putting a tunnel over one of the four lanes on the highway.  The “public” traffic is happily driving along three of the lanes, able to see one another and get where they are going.  The traffic that is being sent across the VPN is being sent in the new tunnel that has taken over one of the lanes.  You know there is traffic there, but you can’t see it or access it.  It can only be seen at it’s starting and ending points.  It’s the safest way to send data, especially sensitive data.

When you connect to a wireless hotspot in a public location like a town square, a restaurant, hotel, etc., you are connecting to a very “public” network.  You should never log in to your bank or other sensitive site over a public wireless network.  Unless you are using a VPN.  If you use a VPN when connecting to these public networks, then you can safely connect to secure sites and protect your traffic from being seen by others.  I have used a VPN for years, for this very reason.

There are many excellent VPN’s on the market, but I am very excited that a company I trust a lot, Webroot, has a VPN specifically designed for WiFi.  Webroot has been an innovator in the cybersecurity space for years.  Their anti-virus/anti-malware tool, Webroot SecureAnywhere is a leader.  They have now added Webroot WiFi Security.  If you already have an anti-virus/anti-malware solution that you are happy with, you can add any VPN easily.  If you are looking for a better anti-virus/anti-malware solution and a VPN, there is a great bundle of both available as well.

I encourage you to check out Webroot’s WiFiSecurity.  Whether you decide to use that solution or another VPN, just pick one and stick with it.  You’ll be glad you did and a whole lot safer as well.

It’s a Wrap! #CyberAware

Standard

Today is not only Halloween, it’s the last day of National Cybersecurity Awareness Month!

As a reminder, the major themes this year have been:

Make Your Home A Haven For Online Safety.

Millions Of Rewarding Jobs: Educating For A Career In Cybersecurity.

It’s Everyone’s Job To Ensure Online Safety At Work.

Safeguarding The Nation’s Critical Infrastructure.

Please be sure to visit staysafeonline.org/ncsam and browse the resources for a ton of helpful guides, tip sheets and other resources to help you be as secure as possible.

My friends at KnowBe4, a security training company that I work closely with also have some excellent resources I’ve inserted here.  Feel free to share within your company to help maintain a culture of cybersecurity awareness well beyond today.

#CyberAware

You may click on each image to download the PDF version.

SocialEngineeringRedFlags

 

BlockMobileAttacks.jpg

5TipSheets.jpg

 

 

 

 

 

 

I’m Back!

Standard

I’ve been on vacation, so hope you haven’t minded the lack of posts 🙂  I’m back and want to share the latest article I wrote for Foster’s and Seacoast Sunday on the 21st.  Enjoy.

protect-your-business-v2

Small Businesses at Risk to Cybersecurity Attacks

In my last article, I wrote about October being National Cybersecurity Awareness Month. We have just finished week 3 and are about to move into week 4. Week 3′s theme was “It’s Everyone’s Job to Ensure Online Safety at Work.” Week 4′s theme is “Safeguarding the Nation’s Critical Infrastructure.”

When thinking about the workplace and the prevalence of small business throughout New England, the story is not a pleasant one. Too many small businesses think they are not at risk for a cybersecurity event. However, consider in 2017, 61 percent of small businesses reported a cyberattack, up from 55 percent the year before. The average cost of these attacks exceeded $1 million, enough to bankrupt many small businesses.

All industries are impacted by cyberattacks, but the most targeted industries are financial services, technology and communications, manufacturing, retail and professional services. The reasons for the attacks vary widely, from financial fraud to identity theft to the theft of intellectual property, the lifeblood of many businesses.

The attack methods vary and defending against these attacks often feels like a game of leap frog. The bad guys figure out a way to penetrate a network and the technologists figure out how to block that attack. The problem is the attackers are sophisticated and have access to increasingly powerful computing resources, so they figure a new way around the defenses and the cycle starts over again, millions of times a day.

Defending your business is not a trivial task, but in the quest to secure businesses, especially small businesses, the most often overlooked thing is employee training. You must invest in training your staff to understand their role in protecting your business. From what they say on social media about their job to the email messages they open and the links they click, people are the last and most important line of defense.

I have heard too many stories where someone in an accounting department gets an email asking them to login to a website to check something. It could be anything from an invoice to a tracking number or to update security information about their account. Messages like this are easy to spoof and get the person targeted to try to login to what looks like a legitimate site, but they often get an error telling them their login failed and to try again. The problem is the site was fake and hacker just captured the username and password the person was using. The hacker is often then able to access and monitor that accounting person’s email traffic and eventually will trick that person, or one of their colleagues into initiating a fraudulent transaction that could cost hundreds if not millions of dollars.

The news is awash with stories similar to the scenario above. Law enforcement is overwhelmed with reports like this. If you haven’t lost millions of dollars, likely tens of millions, it’s unlikely law enforcement will be able to act on your case fast enough to help recover any funds. This is how real and present a danger these cyber threats are.

While this may all seem daunting, there are several things a small business is able to do to help protect themselves. Take the time to take inventory of your critical data and systems. Be sure you understand what you can live without and what you can’t. If you do ever suffer from a cyberattack, be sure you know what you need to continue operating while you assess the damage and recover. Also, be sure you have a communication plan ready to inform your staff, your business partners, your customers and if necessary, the public about what has happened to your business. Get in front of the matter, so your business does not suffer damage to its reputation and not just its technology.

Today’s cyberattacks are evolving nearly in real-time. Businesses large and small across all industries need to understand their risk profile, take appropriate steps to protect their technology infrastructures, educate their employees how to help protect the business and have appropriate response plans in place for when, not if, you are attacked. Try not to feel overwhelmed by the risks. Be prudent in your approach. There are plenty of talented professionals out there to help you understand and mitigate your risk. Just don’t ignore it.

Week 3 Tips #CyberAware

Standard

protect-your-business.png

Week 3 of National Cybersecurity Awareness Month is all about protecting your place of work from cyber threats.  In addition to identify what assets you need to protect, consider the following key considerations:

Protect your assets: Ultimately, your goal is to build a culture of cybersecurity that includes employees knowing how to protect themselves and the business and understanding the cyber risks as your business grows or adds new technologies or functions.

Use employee training to communicate the message and gain employee buy-in.  Don’t make this a one time event, have recurring training throughout the year to maintain a culture of cybersecurity awareness.

Be able to detect incidents: We have fire alarms in our businesses and homes that alert us to problems. In cybersecurity, the more quickly you know about an incident, the more quickly you can mitigate the impact and get back to normal operations.

While everyone has a firewall and anti-virus software, who is monitoring it?  Just the basics are not enough.  You should have intrusion detection and prevention and other security technologies in place that are designed to look for patterns that are not normal.  The tools alone are not enough, you need to have a qualified cybersecurity professional reviewing this information in real-time to catch potential risk.

Have a plan for responding: Having a recovery plan created before an attack occurs is critical. Make and practice an incident response plan to contain an attack or incident and maintain business operations in the short term.

You never want to put your head in the sand if you think you are the victim of a cybersecurity event.  You need ot have a plan to rapidly response and protect your business.  This includes internal communication and external communication as well.  Be sure you have a message that will contain the fallout and not risk damage to your business reputation.

Quickly recover normal operations: The goal of recovery is to move from the immediate aftermath of a cyber incident to full restoration of normal systems and operations. Like the response step, recovery requires planning. Recovery is not just about fixing the causes and preventing the recurrence of a single incident. It’s about building out your cybersecurity posture across the whole organization (not just the
IT person or group), including increasing the focus on planning for potential future events.

Be sure the technology is in place to recover quickly and maintain business operations.  This may mean having to operate in a somewhat reduced state while the full impact is assessed.  You need to be sure you have reliable backups of your systems and the ability to bring them online in locations other than your offices, should the event warrant that.  be sure you understand the concepts of RPO and RTO, Recovery Point Objective and Recovery Time Objective respectively.  You may have a Disaster Recovery (DR) Plan that addresses this, but do you also have a Business Continuity Plan (BCP) to account for ongoing operations?  You should.

Here are some helpful resources to help you assess these critical areas:

SMB Cybersecurity Awareness Toolkit
CyberSecure My Business
Federal Trade Commission’s Business Center for Privacy and Security
NIST Cybersecurity Framework
Better Business Bureau Cybersecurity

Welcome to Week 3 #CyberAware

Standard

This week’s National Cybersecurity Awareness Month theme is “It’s Everyone’s Job to Ensure Online Safety at Work.”  While you’d think this is obvious, it’s still not.

educate-all-employess-v1.png

Consider these stats:

  • Verizon‘s 2018 Data Breach Report, a highly respected annual report on the state of cybersecurity, notes that 58% of cybercrime is taking place in small and mid-size businesses (SMB’s).
  • The cost of cyber attacks to SMB’s was more than $2,235,000, on average.
  • The Better Business Bureau finds that more than half of small businesses would be unprofitable within a month, if they were to permanently lost access to their critical data.
  • Nine of our ten small business report some basic security in place.  This consists of anti-virus protection, firewalls and employee education.

The first topic for this week is indentifying your digital “crown jewels.”  This remains an annual part of National Cybsecurity Awareness Month as knowing what is important is the first step to protecting it.

Check out the CyberSecure My Business resource page related to “Identify.”

There you will find a wealth of resources to help you identify your most important data and systems.  I encourage you to review all of the resources listed on that page.  I strongly recommend you watch the National Cyber Security Alliance webinar titled “Learn to Identify Key Assets and Data.”

Before you can implement an effective plan to protect your organization, you must take the necessary steps to understand what needs to be protected.  These resources will help you do this efficiently.  Get to it!

Why Careers in Cybersecurity? #CyberAware

Standard

teach-kids-about-cybersecurity-careers-v1

As we continue along in Week 2 of National Cybersecurity Awareness Month, the focus is on careers in cybersecurity.  Consider some of these stats:

  • There will be 3.5 million cybsecurity jobs by 2021.
  • Cybercrimes cost victims $3 trillion dollars in 2015 and is predicted to double to $6 trillion by 2021!
  • The median salary for an information security professional was $95,510 in 2017, more than double the median average of all U.S. careers.
  • Most millennials look to their parents for career advice (40%).  That percentage rises to 57% when talking about cybersecurity careers.
  • Over the last several years, the number of teachers who talk with their students about cybersecurity has tripled.  This is great!

Here’s what you can do, especially if you are a parent:

  1. Volunteer at a school and talk about the growing career options in cybersecurity.  We can’t start too young.  Check out this link for resources you can use to start the discussion.
  2. Check out CyberPatriot and think about mentoring kids in a cybersecurity challenge event.
  3. If you know someone who works in the cybersecurity field, see if you can get them to come and talk with students or host an open house for students at their company.
  4. Educate youself about cybersecurity careers so you can help spread the message.
  5. Work with your schools and school boards to educate them on the importance of cybersecurity education to help prepare our kids for their future.
  6. Visit CompTIA, the Computing Technology Industry Association and explore the resources related to cybersecurity education and workforce development.

Welcome to Week 2 #CyberAware

Standard

week-2-twitterToday starts week two of National Cybersecurity Awareness Month.  This week’s theme is “Millions of Rewarding Jobs: Educating for a Career in Cybersecurity.”

It’s estimated that there will be more than 3.5 million cybersecurity jobs by 2021.  According to the Bureau of Labor Statitistics, that’s a 28% growth rate over the 10 year period from 2016 to 2026.  It’s not just about coding anymore!

The most important thing we can do to help build our cybersecurity workforce is talk with our kids.  Too much of our public education system is focused on coding as the only IT career path.  To be clear, software development is an important and needed skill, but it’s not the only skill that our kids can pursue.  It’s our obligation, as parents and professionals, to educate our kids on all of the IT career options available to them and cyberecurity is a significant area of growth and need.

There are some excellent resources available at this link to help start these conversations.  Download the tip sheet on that page and share it with your kids and your schools, to help start the discussion.

Veterans make up a significant group of individuals entering the workforce who have a strong foundation in cybersecurity.  Hiring veterans for careers in IT is a great way to bring highly qualified and motivated technical professionals into your company.  Many university’s are now offering degrees in cybersecurity, so for college age kids or those pursuing higher education at a later age, there are more options now than ever.  If you are a cybersecurity professional, think about becoming a mentor in the workplace or at local schools.

If you know kids that may be interested, have them check out the excellent CyberPatriot site where they can learn more and participate in online learning and competitions.  Together, let’s build the next generation workforce of technical professionals that our country needs.