alt tag

Posts Tagged ‘data security’


7 Ways to Keep Work Secure on Employee Personal Devices

Monday, May 14th, 2018

Technology improvements have made it easy for employees to get work done on their personal devices from anywhere. However, that freedom comes with additional security risks and requires extra diligence to keep data secure. Safeguarding information is a combined process of utilizing technology and educating staff. The following considerations will help your business keep work secure on employee personal devices.

1. Always Update/Patch Software

Hackers invest time trying to find new ways to bypass security or take advantage of personal apathy and laziness.

According to PC World, failing to install the latest patches and updates for software is the top security risk for both business and private use.

Hackers can look for known exploits that the software creator closed and use them against people who haven’t updated the software to close that security hole. Unlike with business-owned devices, your business really can’t force employees to install software that will prompt updates, so it becomes a matter of training.

2. Use Cloud Apps

Cloud applications for both computers and mobile devices offer some excellent security benefits for your business, especially when your employees access them on personal devices. Cloud apps shift much of the data security burden to the server side, which alleviates many of the security problems that could come from traditional apps run on employee devices. Cloud email is an excellent example of this because the server can handle scans for phishing, malware and other malicious attacks before the content ever makes it to the employee device. Cloud apps generally run the most current software versions, so your business won’t have to worry about employees running updates.

3. Encourage Strong Antivirus and Anti-Malware Practices on All Devices

While employees don’t need to use the same security software your business runs on their personal devices, they do still need quality security software. There are many free and low-cost security programs for personal users that provide excellent protection. Your IT staff can help make recommendations for employees on personal devices.

4. Train to Avoid Phishing Scams

While security software and cloud apps do a great job of catching phishing scams, some still might slip through. That’s why it’s important to train your employees in how to identify and avoid phishing scams.

5. Use Strong Passwords, Password Managers and 2-Step Verification

Employees should also keep their accounts secure by using sophisticated access credentials. This means using 2-step verification for all accounts and programs when possible and using password managers to protect their credentials. Employees should be trained in creating strong passwords in the event that more advanced security techniques don’t work.

6. Practice Public Wi-Fi Safety

In general, employees should avoid using public Wi-Fi when working with confidential information. If employees are going to do work on Wi-Fi outside of the home or workplace, they need to be trained in identifying fake access points and how to tell if a library, restaurant or other business’s network is secure.

7. Consider Using Remote Wipe or Lock Software

As a final effort, your business should encourage employees to install software that allows them to remote wipe or lock mobile devices and laptops they are going to use for work purposes. That way if someone steals that device, the damage will be limited to the financial loss of the hardware and not related to a data security breach.

The IT consulting experts at MPA Networks can help your business implement both software and training practices to help keep your data safe when employees use their personal devices for work. You can read our previous blog on tips for managing remote employees for even more information on keeping data safe. Contact us today to learn more.

Training Employees in Data Security Practices: Tips and Topics

Tuesday, April 3rd, 2018

While there’s plenty of technology available to keep your business’s data protected, the human element is still the most important piece to consider in safeguarding your company’s data. Properly training employees to understand and implement data security best practices works best when your business makes a cultural shift toward prioritizing IT security. Successfully training your staff is half about knowing how to train them and half about knowing which topics to train them on. Businesses that embrace a proactive approach to training employees on data security will have a much better track record than those that take a reactive approach.

Training Tips

Don’t just make a plan: Implement a program that focuses on training all employees. Have your business take an active role in implementing a data security program. This ensures training is far more effective than simply creating security practices, offering one-time training and hoping it works.

By implementing regular security training meetings on changing topics, your business can train your staff on a wide range of concerns.

In addition, your company can benefit from focused training while constantly reinforcing security as a priority. Hold multiple sessions that get into each topic in depth to help your employees better understand data security.

Training doesn’t end when the session ends — it’s an ongoing process. As an extension of training, your security staff should frequently send out reminders about security concerns to help employees remember what they’ve learned. Make your data security training materials easily accessible in the event staff members see a reminder and realize they should read up on a topic if they’re unclear of what the reminder is about. Additionally, C-level staff, IT and supervisors should lead by example.

Training Topics

The bad news is hackers will always create new threats for your staff to worry about — but the silver lining is that you’ll never run out of fresh topics to cover. Because of the fluidity of data security, your program will need to change which topics are covered in training and continually adjust strategy to address new threats. The following list covers just some of the many topics training sessions can cover:

  • Strong passwords and more secure authentication practices: This includes covering two-step authentication when applicable.
  • Secure Wi-Fi best practices: Explore red flags to look for when using public Wi-Fi and discuss whether public Wi-Fi should be used at all.
  • Physical device security: Cover topics such as encryption and disabling devices remotely to minimize data leaks for stolen/lost devices.
  • Use policy: Reaffirm that non-employees shouldn’t be using employee hardware.
  • Device security: Discuss the importance of keeping software patched and running security software on devices.
  • Popular methods of attack: Cover security best practices for avoiding popular phishing, man-in-the-middle and ransomware attacks.
  • Social engineering threats: Discuss the importance of the user as an essential line of defense when software can’t protect from threats.
  • Three-copy backup strategy: Explain that data is also at risk of being lost rather than stolen, and explore key backups to minimize these losses.

Hackers and thieves are known to exploit human complacency in security practices — and frequent training sessions will help employees stay aware. Is your business looking to improve its security practices? The IT consulting experts at MPA can help; contact us today to learn more.

Cybersecurity and C-Level Execs: Protecting Data While On the Go

Monday, March 26th, 2018

While all employees need to be mindful of security, the nature of C-level executives makes them more attractive targets for hackers. That means it’s necessary for them to take greater precautions.

According to TechRepublic, C-level executives are more vulnerable than other employees because of the mobile tendencies of their work, and they are higher-value targets because of their access to confidential information. Hackers often use lower-level employees as a way to work up to C-level executives to get the information they’re looking for.

Because of their vulnerabilities and target value, C-level executives need to adhere to the strictest security practices.

Internet Access Security Risks

Hackers can do a lot of damage with little effort if executives connect their devices to unsecured networks. C-level executives tend to travel frequently, which can expose their devices to vulnerable Wi-Fi networks. Coffee shops, airports, hotels and exhibition centers are among the largest and most vulnerable network threat locations — and all are places executives tend to frequent. Executives may be working on unsecured Wi-Fi or even worse: hacker-implemented Wi-Fi masquerading as a legitimate access point.

Your company’s best defense against vulnerable public and private networks is to avoid the “penny wise and dollar foolish” mindset: Pay for an unlimited mobile data plan with tethering support for your executives. Using mobile 4G internet on the go eliminates the risks of using out-of-office networks, and tethering support will allow C-level executives to connect their devices that don’t have built-in 4G mobile network access. Your company can also invest in network tunneling, VPNs and other security measures.

Executive Data Access Is an Attractive Target

Consider this hypothetical example: Bob from H.R. has access to everyone’s Social Security numbers, while Janet from accounting has access to the company’s financial records. But Sam the CEO has access to all that information and more. Because of this, hackers view executives as the biggest fish in the sea, and they will target executives over all other potential targets. This is an even bigger problem on outside networks than within the office network because executives don’t have all the security technology that the office provides protecting them.

In addition to preventing the attack, it’s also wise to limit the amount of data access an executive has on devices they use when traveling — especially for international travel.

Executives should use “burner” laptops/phones that only have the information they need for the trip in order to limit data exposure in the event of a hack. For example, don’t store a payroll spreadsheet containing every employee’s Social Security number on a travel laptop.

A stolen device is also an important risk to consider, so your business should always use encryption and secure passwords on executive devices used when traveling.

Email Is a Primary Attack Avenue

Email security needs to be a priority: It’s everywhere, so it’s irrational to think executives will only read and reply to emails in an office setting. C-level executives are primary targets in “whaling” attacks — high-value targeted email phishing scams. The main concern is man-in-the-middle attacks, where a hacker poses as a trusted individual in a conversation. Technology can only do so much to safeguard against whaling scams. Hackers may learn a great deal about a specific target and tailor their methods based on that information — unlike a standard phishing scam that involves throwing out a generic net to see who falls for it.

IT security is important at all levels, but lapses at the executive-level can have disastrous results. The IT consulting experts at MPA Networks can help your business implement strong security practices so your company can avoid catastrophic security breaches. Contact us today to learn more.

Where’s Your Company’s WISP? Why You Need One NOW

Tuesday, June 14th, 2016

writing-1149962_640

A WISP is one of the most important documents for any company doing business over the Internet—which, in this day and age, is pretty much everybody. Who’s responsible for drafting and maintaining your company’s WISP? Or are you even sure what a WISP is? If not, your company is already at serious risk for additional legal action—lawsuits and punitive fines—following a data breach, whether the result of external hacking or internal human error.

WISP stands for Written Information Security Programessentially your company’s formal road map for safeguarding the privacy of customers’ Personally Identifiable Information (PII), as well as a response plan after a data breach—including customer notification.

WISPs are already required for companies dealing in financial services (the Gramm–Leach–Bliley Act) or medical health records (HIPAA). Additionally, most states now have their own laws governing data privacy standards for businesses.

Here in California, the California Data Protection Act (Civil Code Section 1798.80-1798.84) requires businesses to “implement and maintain reasonable security procedures” to ensure the electronic privacy of customers’ personal information—their names combined with any of the following:

  • Usernames/passwords for online accounts
  • Social Security/Driver’s License numbers
  • Credit/debit card numbers
  • Medical history/health insurance records

How Much Is “Reasonable”?

The tricky thing here is that the California law doesn’t define what “reasonable security procedures” really are. And if even one of your customers resides out of state, your company is likewise bound by the corresponding data protection laws in that state—such as Massachusetts, where a WISP is a legal business requirement. At a time when new corporate data breaches seem to grab headlines every month, a formal WISP program for any company—large or small—is just good common sense.

Cover All the Bases

What are the elements of a comprehensive, iron-clad WISP? Here are the essential points to cover:

  • The designated person(s) to administrate the WISP
  • An assessment of reasonably foreseeable risks to security/confidentiality of protected PII data
  • Locations where personal information is stored (electronic or hard copies, as well as access from portable devices)
  • Specific measures to safeguard confidential data (encryption, firewalls, security patches, or more)
  • Ongoing employee data security training, with disciplinary policy for WISP violations
  • Monitoring and review of the program’s effectiveness, annually or as necessary
  • Your company’s official breach response plan

The Commonwealth of Massachusetts offers a good WISP template for small businesses here.

Most importantly, if your company is partnered with a managed service provider or other third-party IT services, make sure they’re on board with your WISP program—that they’ll take time to assist in crafting your initial policy in addition to providing regular enforcement and documentation. We certainly will.