storage

The Modern Office and Security: What you need to know about protecting your business and its data

April 16, 2019 by securewebsite

One of the most critical components of the modern office environment for a healthy, scalable business infrastructure is security. It is the cornerstone of your IT for it protects the other components that your company needs to keep thriving and surviving in the modern marketplace. Today’s business security entails much more than just an anti-virus program and requires some pre-planning as well as a regular investment of time.

This blog covers the most important things every business should know about security. Additionally, it includes what business leaders should consider to best protect their organization, data, and clientele. As you will see, having the right security in place can make the difference between growing your business and shutting its doors permanently.

Secured Access

Every business should have secured access in place for both internal and external users on its network. As a modern company, both internal and external users will be accessing your data whether its email or highly-sensitive information not meant for prying eyes. This is important because data falling into the wrong hands can cost your business its reputation, revenue, and even its livelihood.

According to the 2018 Data Breach Investigations Report by Verizon, 73 percent of breaches were perpetrated by outsiders. This means your business data needs to be protected as much as possible and that external access to your network should be limited and monitored at all times. Hackers are always looking for a way to infiltrate networks. Phishing, ransomware, and malware were among the top means used by nefarious outsiders to access business networks in 2018. Of those breaches studied, 90 percent were motivated by monetary gain or strategic advantage (i.e. business espionage).

While you may believe that your business is too small for anyone to care about hacking its data, think again. A report by USA Today shows 61 percent of cyberattacks are aimed at small and medium-sized businesses. The same piece reported that a whopping 60 percent of small businesses close their doors for good within six months of an attack so it’s clear why security is so imperative to business survival in our modern society.

Though most breaches occur due to external sources, insiders can be just as dangerous to your business. Whether due to simple user error or something more insidious such as a disgruntled employee or cyber espionage, the aforementioned Verizon report concluded that 28 percent of breaches involved internal actors. Of those breaches, 12 percent involved privilege misuse. That’s why we always recommend implementing the practice of least privilege. This means allowing access to data only to those who require it to fulfil their job duties.

Email Security

Email is the bread and butter of communication for most modern offices. The use of email for both internal and external communications is a necessity for today’s businesses so securing it effectively is imperative. The issue is that it is also a major point of entry for many attacks.

A blog by CSO from IDG shows that 92 percent of malware is delivered by email. In addition, the blog stated that the average ransomware attack (which often occurs via email) costs a company $5 million. The same blog also stated that phishing attacks is one of the most common methods of email malware infection.

There is email and network scanning software available to help protect your business. At ORAM Corporate Advisors, we recommend Mimecast for email protection. It is a terrific solution to help organizations prevent email-borne ransomware as well as protect against the associated downtime and data loss such attacks can cause. ORAM recommends Mimecast because it “safeguards employee communication and reduces risk with targeted protection, data leak prevention, and enforced security controls.”

Mimecast, which I mentioned above for email and network scanning, is also an excellent solution for data loss prevention. Its data loss prevention solution scans all emails and file attachments and identifies potential leaks using flexible polices based on keywords, file hashes, pattern matching, and dictionaries.

Another piece of modern technology you’ll want to have in place is multi-factor authentication. Multi-factor authentication is a security system that requires more than one method of authentication to verify a user’s identity. This can range from requiring passwords that must periodically be changed by legitimate users to requiring a one-time PIN provided via smartphone for access. It adds an extra step for employees to access your network but it will help ensure your business’ data security.

In addition to software, we also recommend that employee training become a regular event. Every business should offer employee training during the onboarding process and at regular intervals throughout the year (every six months) to every employee. They should be trained not to click on email attachments or to follow links in emails from unknown or untrusted sources. Employees should also be taught to verify emails with links and attachments with a trusted source before opening them if something comes into their email that they weren’t expecting. While this training can take some time, it can prevent a costly breach later on.

Manage Your Network

While securing access to your network is important, managing your network is even more imperative to keep business operations running smoothly. Your network houses your most critical data while supporting the daily workflow and processes of your business. That means maximizing uptime, optimizing network capacity and utilization, and ensuring its protection.

There are a great deal of pieces that comprise your network and all of them need to be addressed on an ongoing, regular basis. Start with a network technology assessment and auditing. This will tell you where your network is in terms of optimization and data security. By assessing where your network is now and taking a full audit, you will be able to tell where your strengths and weaknesses are to tweak it to work at full capacity for your business needs.

In addition to regular assessments and audits of your network, you will need to plan ahead for storage, disaster recovery, business continuity, and more. Here are some of the things that go into managing a business network:

Email Continuity
IT Asset Tracking and Reporting
High Availability Services
Cloud Solutions
Network Design, Implementation, and Support
Data Assessment, Analysis and Recovery
Security and Monitoring Services
Workflow Assessment and Optimization

Up-To-Date Security

Your business should also have up-to-date technology security in place. You will want to ensure that your company has installed intrusion prevention software on all of its data networks to keep hackers from getting their hands on your information. You can check to ensure you have such software in place during the audit process.

The intrusion prevention system we use at ORAM is Cisco hardware that scans on a network level. It scans everything going into and out of your network to ensure that your network traffic is safe. This could catch someone maliciously trying to access your internal network, bad email attachments, and other threats.

In addition, you will want to put together policies for your employees that protect your business. Ensure you have a solid computer use and data loss prevention policy in place so employees know exactly when and for what purposes they can use their company devices. Make it clear what sites they should not visit and what the repercussions are for visiting non-work related sites on business devices.

You’ll also want to have a password policy in place so employees are not using the same passwords for multiple accounts or old passwords that could leave them at risk of being hacked. Passwords also need to be strong so encourage your employees to develop passwords that use letters (both lowercase and capital), numerals, and special characters. There is even software available to prompt your employees to change or update their passwords over time. You may even offer your employees a password manager so they can easily recall their passwords.

Many enterprise businesses are also moving to the cloud. Not only does this allow for greater flexibility for your employees, but it can offer greater data security. When you save both to your local network and the cloud, you have your data backed up. This is ideal in the event of a disaster and will get your business up and running again with less downtime or the worry that valuable information can’t be recovered.

Don’t Forget Your Physical Security

Remember that all data is not digital. Whether you have data files stored in locked filing cabinets or your HR employees are printing personally identifiable information (PII) during tax season, the physical security of your business is just as important as its digital security. You don’t want someone walking out with printed files or sifting through your garbage to steal information.

ORAM recommends that all businesses have a clean desk policy. This means requiring that all employees keep their desk clear of papers, notes, and other information that could lead to a breach or loss of information if it were to fall into the wrong hands. When they are not as their desk, employees should have a clean desk since everything should be put away, hopefully under lock and key.

Businesses should also limit physical access to certain areas such as file storage areas, server rooms, and other places where information is stored. If an employee doesn’t require that access to do their job on a regular basis, they shouldn’t have access. Such areas should be locked with limited persons possessing keys for access. We also recommend adding video cameras at data rich entry points to protect against a physical breach. This small addition will let administrators know who accessed the area(s) and when they did so which will help in an investigation.

Finally, you’ll want to ensure that all data is properly disposed of. Shred all hard copies before tossing paper information and consider hiring a disposal company that handles this type of waste. Don’t leave such waste out on the curb for anyone to take. Ensure the company will come in to gather paper for disposal. In addition, make sure that valuable paper data isn’t thrown into the recycle bin but is shredded before being thrown out. When it comes to cyber espionage, dumpster diving isn’t unheard of.

Have a Plan

Every business should also have a written information security plan (WISP) in place. It should include everything from regular IT audits to employee training. There are many mistakes that businesses make when it comes to backup that are completely preventable. Your WISP will outline effective administrative, technical, and physical safeguards specific to your organization to help prevent such mistakes. It will also define security measures for your business, protect against anticipated security threats, and unauthorized access. The WISP for your business will put safeguards into place to protect your data. It will also help you and your employees know exactly what to do and who to contact if disaster strikes.

If you need help with securing your modern office or want more information about building stronger security for your business, contact ORAM today at (617) 933-5060. Our experts are always here to assist you in bettering your business and data security.

IT Tips for Today’s Tax Professionals

April 2, 2019 by securewebsite

With tax day just two weeks away, many people may have their minds set on getting their taxes filed fast if they haven’t done so already. Tax professionals always find themselves swamped from February to May with businesses and individuals alike trying to finish up their taxes for the previous year. As a result, information technology (IT) may not be on the top of your mind as a tax professional but it should be.

With all of the personally identifiable information (PII) tax professionals work with on a daily basis from birthdates to social security numbers, IT security is a must to prevent breaches and data loss. Here are some top tips to keep your tax business and your clients safe.

Don’t Get Phished

Phishing emails are one of the most common ways hackers target businesses through email according to the Internet Security Threat Report Volume 24 by Symantec. “Employees of smaller organizations were more likely to be hit by email threats- including spam, phishing, and email malware- than those in large organizations,” according to the report.

Learn how to recognize phishing emails and train your employees to do so as well. Emails from unknown sources, especially those coming from someone pretending to be the Internal Revenue Service (IRS), e-Services, a tax software provider, or cloud storage provider should be deleted. Be sure to never open any link or attachments in suspicious emails as this is how the bad guys access your email and network. Note that the IRS never initiates initial contact through email with tax professionals regarding returns, refunds, requests for PII or other sensitive data.

The Symantec report does offer some good news in that “Phishing levels declined, dropping from 1 in 2,995 emails in 2017, to 1 in 3,207 emails in 2018.” This may be the result of better training and anti-phishing software. Be sure to keep your employees trained so your business isn’t phished.

Draft Your Data Plan

Every business, especially those in industries that are highly regulated or those that are often targeted due to the sensitive information they handle, should create a data security plan. When it comes to tax professionals, your security plan should use IRS Publication 4557, which addresses the proper safeguarding of taxpayer data. You will also want to look at Small Business Information Security- The Fundamentals developed by the National Institute of Standards and Technology, a non-regulatory federal agency charged with promoting U.S. innovation and industrial competitiveness.

These standards outlined in these publications will help you develop a data security plan that meets rigorous standards and the individual needs of your tax business. If you need assistance developing a data security plan, third-party vendors such as ORAM Corporate Advisors can handle this for you through an IT assessment.

Security Software

You’ll need to review the internal controls your business has in place to protect its data. Start with installing anti-malware and anti-virus software if you haven’t already done so, or if you have, you may want to update the software you have in place. This will need to be done on all of the devices used for business from laptops and desktops to routers and tablets. Don’t forget about your phones as well. Be sure to keep your security software set to automatically update as software companies push out updates and patches regularly.

Powerhouse Passwords

Be sure to use passwords that are powerful. Use a mix of at least 8 or more upper and lowercase characters, numerals, and signs in your passwords. Ensure your passwords are strong and unique for each different login you have. While this might seem overwhelming, there are a number of password managers available that can help you keep them all straight.

You will also want to password protect every wireless device in case of loss or theft. Use a phrase or words that are easily remembered and periodically change your passwords. Finally, never use old passwords and use multi-factor authentication wherever possible. Be sure to train your employees on these password best practices as well.

A Prescription for Encryption

In addition to strong password protections, one of the best ways to secure data in your tax business is to encrypt sensitive files and/or emails. In a worldwide survey of businesses by Statista, encryption was “employed extensively” by 63 percent of enterprises in 2018. Another 24 percent of businesses survey by Statista said encryption was partially deployed in their company databases. There are many types of encryption software to choose from. At ORAM, we recommend Mimecast for email encryption. For full-drive encryption, ORAM recommends eSet Endpoint Encryption so you can encrypt your sensitive files when they are in storage.

Back It Up

Be sure to back up all of your sensitive data to protect your business in the event of a disaster scenario. Ransomware is rampant, viruses can infect your network, and natural disasters such as fires and hurricanes can wipe out your data. To ensure that you always have access, have a backup plan in place and know exactly what you are backing up and to where. See ORAM’s blog on “The Biggest Backup Mistakes Businesses Make” to learn what to avoid.

Proper Disposal

Make sure that when you dispose of data, it’s being done so properly. Whether you are super shredding hard copies of data or replacing old computers, be cognizant of how you do it. All of your old computer hard drives should be wiped clean or destroyed before you dispose of them. This is also true of printers which can also store sensitive data.

Limit Access

Limit access to taxpayer data to only those employees who require it to fulfill their job duties. This is meant to protect both your client data as well as your own business. While many breaches happen due to outside sources, internal threats are still an issue in organizations around the world.

As a matter of fact, an online article from Security Intelligence reported that insider threats account for nearly 75 percent of security breaches. Disgruntled employees, those recently let go, and others may be ready to turn on your business to make a buck or out of spite. In the IT world, this limited access is known as the practice of least privilege. Be sure to employ it to protect your business from insider threats.

Check Your IRS e-Service Account

Be sure to check in on your businesses IRS e-Service account on a weekly basis. This allows you to ensure that the number of returns your business has filed with its EFIN is correct. If there are any discrepancies with the number of returns filed, contact the IRS immediately. Additionally, you will want to report any data theft or loss immediately. You will need to determine the appropriate IRS Stakeholder Liaison with whom to report the loss.

Keep In Contact

Stay in contact with the IRS and keep abreast of new developments though a subscription to the e-News for Tax Professionals, the latest national and local IRS news. QuickAlerts sends important messages, within seconds, to keep you up to date on the events that affect authorized IRS e-file providers like you. You can also keep in contact with the IRS through various social media as an authorized IRS e-file provider.

The IRS also has a Data Security Resource Guide for Tax Professionals that details the signs of data theft, teaches you how to report data theft to the IRS, and provides a number of data theft links. We recommend all tax professionals download the guide and read through it so you are prepared for a worst case scenario. This way you won’t be struggling for resources when you’re already under stress.

If you need more assistance securing the data of your tax business, please contact ORAM today at (617) 933-5060 or visit us online. We are happy to schedule a free initial consultation to get your tax business on the road to better security fast.

Technology Assessments: What they are and why every business needs them

December 11, 2018 by securewebsite

Information technology, or IT as it is known in most modern business settings, can be a challenge for small to medium business owners. Whether your business may have its own IT expert in-house or be too small to employ its own, your organization uses IT every day. Government regulations change regularly and growth means IT needs to adapt, too. Additionally, the world of technology is always experiencing new development.

That’s where technology assessments come in. Every business should undertake an annual technology assessment to ensure its IT needs are being met. Here’s a look at what technology assessments are, the purpose behind them, and what types of things they evaluate.

Technology Assessments
Every organization uses technology. Whether your business is using the internet for ecommerce, your non-profit is building a new business website, or your company is sending and receiving emails, you and your employees utilize IT. As your business grows, the complexity of your IT does as well. This can be a challenge for small to medium businesses, however, as they often don’t have the budget to hire a full-time employee to handle such matters. Even if you do have IT staff on hand, they may be so busy that a third-party such as ORAM may be the key to getting your annual IT assessment done quickly and efficiently.

This is where an independent technology assessment comes in. Such assessments evaluate multiple aspects of your existing IT to determine if what you have is effective enough to cover your growing organizational needs and, if not, what changes need to be implemented. Just as you should see your doctor every year for a full physical, your company also requires an annual IT checkup.

The Purpose of IT Assessments
The costs of IT are rising every year, the complexity of IT planning is becoming increasingly difficult, and regulatory compliance is beginning to overwhelm organizational leaders. An annual technology assessment can tell you what your company currently has in terms of IT to overcome these obstacles versus what it really needs to achieve your technology and business goals.

An IT assessment should cover several aspects of your business technology including:

• Strategically evaluating whether your IT infrastructure is ready to grow with your business.
• Identifying areas of opportunity to improve your business processes and reduce your IT costs.
• Pinpointing any “red flag” areas that require deeper analysis and adjustments.
• Prioritizing your IT investments to reflect your business strategy.

What They Do
Information technology assessments examine your existing IT infrastructure and business goals such as growth. Through this audit of your business’s current systems and processes, it can be determined if they are effective at meeting your organizational goals.

For example, if you operate a law firm that wishes to grow by 10 percent each year for the next five years, your IT must be able to adapt to the changing needs of your law firm. In addition, you are bound by several governmental regulations such as the protection of your client’s personally identifiable information (PII). This means you must have achieved a certain level of security to meet those requirements with your IT.

An annual assessment can determine if the IT your business has in place is capable of handling these requirements and, if not, what adjustments need to occur. A strong technology assessment will answer the following questions:

• How is the health of technology in my organization?
• Is my business using technology to its fullest extent?
• Can my existing technology accommodate growth?
• Is my company exposed to risk that can be avoided with proper planning?

What They Cover
Just like a physical, an IT assessment comes with a checklist of things that are covered to ensure the best IT health and the lowest risk to your organization. Areas that should be covered in your IT assessment include the following:

• Physical assets: Servers, desktops, laptops, telephones, networks (internal and external), Peripherals (scanners, printers, copiers, etc.), and data management and tracking (such as storage and disposal)
• Applications: Desktop programs, email management, accounting and other business-critical applications, document management, security programs, and your organizational web site
• Policies, Procedures, and Processes: Business continuity plans, disaster recovery, change management, security management, on-boarding and off-boarding of employees, ongoing IT training, and help desk
• Partner & Vendor Management: Collaborations, sales, purchasing, software licensing, voice and data circuit providers, third-party service providers
• Industry or Business Specific Details: Government-issued regulations, industry requirements, and unique company needs

This list of items is reviewed by conducting interviews with key people in your business and through checks of your business infrastructure. During the interviews, you or your IT staff will be asked to answer specific questions about the technology in place that supports your organization. You will also be questioned about your business and its goals.

When ORAM conducts a full technology assessment, we have a list of 300 questions that thoroughly examine everything from your existing IT policies and procedures to your key IT assets and their settings. We also look at the infrastructure of your organization to determine what you have, how well it works, and what you need. All of this is wrapped up into a results report specific to your company.

Results-Oriented IT
All of the data gathered during the assessment is put into a final report that will allow business leadership to make informed decisions about the IT of your company. In addition to the current status of your IT health, recommendations will also be made to keep your business operating smoothly, protected against threats, and compliant with industry and/or government regulations. Business leadership should review the results to determine what steps to take in order to keep moving forward with safe, effective, and efficient IT that meets business goals within their budget.

The final report is also a terrific means for documenting your IT and planning business continuity in the event of a disaster such as a breach. While this is a wonderful report that can do much to support your business health and goals, it does need to be updated annually to address the changes in technology and your company.

Why Every Business Needs IT Assessments
Since every organization uses IT, every business needs an annual technology assessment. The final report is not only a document that keeps businesses on the cutting-edge of technology and security, but also provides assurance that government regulations are being achieved. Finally, it gives leaders a look at the IT health of their company and acts as a roadmap to guide them through the necessary changes to their existing technology that will allow them to achieve their desired outcomes in the future.

If you are interested in a short, free technology assessment by ORAM, a full technology assessment, or simply have questions regarding your organization’s IT, please contact ORAM at (617) 933-5060 or visit us online today.