Category

Email Security

Need Better IT Security? Managed Security Service Providers are the Answer

By | Cloud Services, Data Security, Email Security, Managed Security

Meeting your business objectives is virtually impossible without a well-developed information security program. With businesses of every size and industry facing threats on a daily basis, comprehensive data security is now a primary need. However, many businesses don’t dedicate the personnel, time, or resources to maintain something that is always evolving. How can you address the constant barrage of hackers, malware, and phishing attacks and still stay in business?

The Importance of Managed Security

Cyberthreats are on the rise, and the technology used to launch these virtual offensives only gets more sophisticated with each attack. If you happen to have an experienced IT specialist at your disposable, you are one of the lucky few. Many small businesses lack the resources necessary to employ an IT professional, and even those businesses with full IT departments struggle to keep pace with cyberthreats. A Managed Security Service Provider, or MSSP, can offer premium IT services that are provided by highly-trained cybersecurity experts. Every aspect of data security for your business is covered, while an MSSP tackles cyberthreats so you can get back to running your business.

IT Departments Are Overwhelmed

It’s tough to admit when your professionals are stretched too thin, but outsourcing to a knowledgeable MSSP can offer relief to your entire organization. There’s no doubt that your IT personnel feel stress when a fraudulent email is opened and results in a system-wide crash, but all employees experience frustration when they can’t do their jobs. We work in a digital age that demands a reliable cybersecurity infrastructure. Even the best IT departments can lack the training and resources required to combat threats, and they are expected to simultaneously manage the daily upkeep of your business. IT security is more important than ever, making it crucial to control the many variables that exist.

An IT Strategy is a Necessity

Do you know when your basic programs need an upgrade? What are the proper security precautions for your eCommerce store? Are you in compliance with the latest regulations? These questions, and more, require up-to-date answers, and many businesses struggle to establish an IT strategy that covers all angles. An IT strategy should also create defense mechanisms within your systems that will alert you to data breaches. Faster responses save time and money, and although every breach can’t be prevented, hackers can be promptly stopped in their tracks. Not every strategy is going to look the same, and an MSSP can offer specialized solutions that fit your business objectives.

You Can’t Afford Regular Attacks

When considering an IT budget, many businesses don’t recognize the hidden costs that are inevitable. Breaches cost money, and frequent attacks will exhaust whatever budget resources you have established. Cutting costs where IT personnel and strategy is concerned will hurt you in the long run, putting your entire business at risk. You’ll spend more time on pursuing hackers and repairing the damage they have caused than you will on improving cybersecurity. An MSSP can greatly reduce costs by preventing breaches of sensitive information, and an agreement will usually offer a predictable monthly fee.

What Can thinkCSC Do for Your Business?

At thinkCSC, we take security seriously, and we want to give you the most control over your business with the necessary cybersecurity measures. Our determination to offer ourselves as an experienced MSSP has promoted the development of innovative levels of security monitoring for our clients. Massive cyberthreats are a normal part of doing business, but they are risks that can, and should, be addressed and abated. thinkCSC provides excellent levels of monitoring and detection designed to protect your data and keep your organization running smoothly.

At thinkCSC, cybersecurity is simply what we do. We can partner with you to develop a unique solution designed to fit your business model. Take the first step towards advanced cybersecurity practices and contact us today to learn more about our enhanced Managed Security options.

Vulnerability Management

By | Data Security, Email Security, Managed IT Services, Managed Security

We keep repeating this, because it bears repeating: Cybersecurity is one of the most pressing issues facing businesses in today’s technological world. Business size, resources, location, and other characteristics are almost irrelevant. From small, individualized breaches to worldwide ransomware attacks, the scope of cybersecurity compromises has risen dramatically throughout the last decade.

This trend has led to the need for organizations of every size to establish strategies to enhance cybersecurity and combat attacks. One such approach is known as vulnerability management (VM), which focuses on identifying threats and reducing exposure rather than merely reacting to incidents. In broad business terms, this approach differs from the old quality control systems (detecting problems as they happened or early in their appearance, thereby containing potential crises) and is more like the newer quality assurance approach (putting measures in place to assure the prevention of problems occurring at all). Quality assurance approaches include expeditious handling of issues that occur, but they focus on identifying potential systemic weaknesses and strengthening them in order to prevent issues from the start.

How is this done? What does this mean in practical terms? How can even small and medium-sized businesses (SMBs) employ a sufficiently robust VM plan?

The following are a few answers to these key questions:

Treat the Issue as More than Just a Requirement

Too many companies approach cybersecurity in general, and vulnerability management in particular, as an item on a checklist – a chore that must be done. These companies perform an annual scan and often use outdated or mismatched software systems. Treating cybersecurity simply as a requirement leads to inadequate protection and a never-ending cycle of escalating issues over which they never gain full control. Solving a serious problem requires seeing it as a serious problem and then treating it as such.

Conduct Regular Vulnerability Scans 

Solid VM programs involve much more than just threat-detection scans. They do employ regular scans (at least quarterly) using up-to-date systems, but they also include additional elements, such as root-cause analysis, tracking, remediation, and detailed reporting. Without such comprehensive essentials, businesses leave themselves open to risks that can be eliminated systematically.

Consider Both Authenticated and Unauthenticated Scanning

Unauthenticated scanning is a simple scanning process through which devices are scanned remotely to determine exposed vulnerabilities. Authenticated scanning goes one step further and logs into the system with a valid user account. Using authenticated scanning can identify system configuration issues, as well as embedded vulnerabilities that simple scanning cannot catch.

Use the Common Vulnerability Scoring System (CVSS)

The CVSS uses a calculation metric to assign severity scores to vulnerabilities. The three core areas analyzed are: base metrics (qualities that are intrinsic to a vulnerability), temporal metrics (vulnerabilities that evolve over time), and environmental metrics (vulnerabilities that require specific implementation or a particular environment). This allows organizations to prioritize their responses in an intentional, meaningful, and productive manner and avoid the tendency to spend disproportionate time and resources on minor threats.

Fix the Issues That Cause Vulnerability

Scans merely identify threats. Most companies do nothing more than remove the threats discovered by their scanning measures. What they fail to do is fix the core issue that allowed the threat into their systems in the first place. Thus, the same threats often reappear, are discovered by future scans, are removed once again, and the cycle continues. Eliminating the entry portal exploited continually by the threat closes the existing security gap and stops this cycle of entrance and removal, which altogether eliminates the risk posed by the threat.

If Necessary, Outsource Vulnerability Management

Vulnerability management can be overwhelming, especially for SMBs with limited technical expertise and limited budgets. Just as outsourcing HR, legal, or security services can be beneficial, partnering with an established, knowledgeable Managed Security Services company can be a perfect, cost-effective solution to such a daunting task.

Usernames and Passwords: An Illusion of Security 

By | Data Security, Email Security

Many organizations, especially small businesses, rely on username and password protocol as their primary cybersecurity protection method. They assume that requiring employees to use strong passwords, and then requiring regular changes to those passwords, is an adequate approach to cyberattack prevention. On the contrary: Relying primarily on passwords is not as secure as most of us are led to believe.

The Verizon 2017 Data Breach Investigations Report revealed two of the major findings that bear directly on this issue. Of the data breaches that were analyzed:

  • 75 percent were perpetrated by outsiders (with the exception of healthcare, where 68 percent were internal)
  • 81 percent of hacking-related breaches (50 percent of all breaches) leveraged weak or stolen passwords

What does this say about relying on usernames and passwords to secure your network – and why are strong passwords not a solid cybersecurity strategy?

Most people don’t want to remember numerous usernames and passwords for multiple accounts and programs, and many don’t feel confident in their ability to accurately recall that information. More so, they dislike having to regularly change passwords on individual accounts, and being forced to forget previous passwords in exchange for new ones. To deal with this frustration, they tend to do one of two things (or both):

  • Re-use the same usernames and passwords across multiple accounts
  • Write down their usernames and passwords, and store them in their workspace (usually in a place that is easy to find, often on their desk or in a top drawer)

The problems with these widespread tendencies are simple:

  • Remember, 81 percent of all hacking-related breaches leveraged weak or stolen
  • Repeated passwords used on multiple sites increase the risk of successful breaches on internal company sites. If passwords on personal accounts (online shopping, banking, personal email, social media, etc.) match passwords on company sites (employee login, company email, etc.), hackers can apply those identical passwords to other accounts with the same or similar usernames – and many people use the same username format across multiple accounts (e.g., John_Doe, or John.Doe).
  • This means that any password, no matter how strong it is, is vulnerable the more often it is used with multiple accounts, especially when it is associated with the same (or similar) username.
  • If 75 percent of breaches were perpetrated by outsiders, this means that 25 percent were committed by insiders. Many internal attacks don’t have to target one particular employee’s access; in many cases, accessing one member of a team or department (or even the entire company) is all that is required. Thus, having an employee record usernames and passwords, and store them in an obvious place, makes internal attacks much easier and more likely.

Having a system of employee usernames and passwords is not enough. Passwords, to be at all effective, need to be randomly generated strings of characters, changed frequently, and accompanied by two-factor authentication and protected by additional layers of security, backup and recovery, and monitoring.

thinkCSC is here to help ensure your cybersecurity systems are strong and vibrant, to assist you in your preparation for and response to cyberattacks. Together, we can avoid the mistakes that are common among so many businesses and organizations, in the end becoming as secure as possible in today’s technological world.

While thinkCSC believes that employees will always be the first line of defense against ransomware attacks, the only real solution is for leaders of all –organizations – businesses of all sizes, government entities, schools, hospitals, and –others – to invest in stronger IT security that includes offsite backup and recovery and managed security. These protections, combined with ongoing staff training, strict security policies, and constant vigilance, are an absolute necessity in today’s cyber-environment.

For new customers interested in information on obtaining our services, please contact us at sales@thinkcsc.com

Ransomware is Not Going Away, but BDR Will Keep You in Business

By | Data Security, Email Security

ransomwareRansomware attacks continue to outpace cybersecurity efforts, threatening your organization’s most essential files. Thousands of employees, users, and clients click links and download files in emails, and no matter how cautious you urge them to be, a single toxic file is capable of bringing down your entire network. Ransomware remains a threat, but your business can still employ its best defense and avoid a worst-case scenario.

Data is key to the success of your business

Businesses today rely heavily on data, but many of these businesses continue to operate without crucial protection. According to Datto’s State of the Channel Ransomware Report 2016, ransomware attacks on small businesses are becoming more frequent; 91 percent of the managed service providers they surveyed reported clients victimized by ransomware. Furthermore, findings indicated that the most common impact of ransomware was not simply loss of data, but business-threatening downtime that crippled productivity.

How do you convey to every single employee what ransomware looks like? How do you teach every client to not fall prey to a scam? You can start with educating and training employees about good security practices, urging them to download the thinkCSC email security guide. But training is not enough to protect your data from ransomware.

Backups can save your business

So what can your business do to protect itself? Backup and Disaster Recovery (BDR) is the best – and possibly only – protection against ransomware. If budget constraints are your main concern, then realize that the cost of implementing BDR is miniscule compared to the financial impact of an attack. Datto’s Ransomware Report estimates down-time costs at $8,500 per hour, which adds up to $75 billion per year. BDR allows you to:

  • Automatically back up and store data
  • Minimize downtime quickly after an attack
  • Avoid paying ransoms if an employee inadvertently introduces ransomware into your network

BDR makes it easy to maintain several copies of your data; as well, you can backup and store your data somewhere physically separate from your network. With the assistance of a managed service provider, your business can take extra steps for protection:

  • Testing backups to ensure that data is recovered properly
  • Manage passwords and user permissions
  • Take all necessary steps to ensure that your cyber security practices are air tight

Good cyber security practices involve steps that do more than try to avoid ransomware. Recognize that no matter how many layers of security you implement, there is virtually no fail-safe measure to safeguard against ransomware attacks. Ransomware is insidious in its ability to continue evolving to better dupe unsuspecting recipients into clicking a link or downloading a file.  Rather than gamble with the security of your data in the hope that it will never happen to you, be prepared with offsite backups that house and maintain all your sensitive data. BDR is a peace-of-mind measure that could save your business. Contact thinkCSC to learn more.

Security Concerns Will Drive IT Security Spending Over $100 Billion by 2020

By | BDR, Business, Data Security, Email Security, Managed IT Services

IT SecurityFor many years, organizations have argued that security budgets are already stretched to the max and that there is no more room for increased security. With costly security breaches impacting governments, social media platforms, the IRS, and more small and mid-size businesses than we can count, the investment in security suddenly seems like the least expensive option.

IT Security vs. Security Breach

Whether you increase your spending on IT security or simply find a better way to spend your budget, one thing is certain: what you spend on IT security is a predictable, planned cost that doesn’t send your shareholders into a panic, doesn’t make your customers question their loyalty, and doesn’t put you out of business. A security breach, on the other hand, can result in fines, lawsuits, costly recovery, and a loss of customers.

If your organization has decided to increase IT security, how do you make sure you’re getting the most out of your investment? We recommend focusing on these areas:

Email Security

Email is still one of the most popular ways for hackers to penetrate your security, because all it takes is one email on one employee’s system compelling them to open an attachment or click on a link to create a breach that will affect your entire IT infrastructure. People will always be the weakest link in security. Sender policy framework protocols, hosted email exchange services, and ongoing employee training are all essential. Download our email security guide to help your employees think before they click.

Endpoint Security

Every device that touches your network needs to be secure, whether it’s an employee-owned cell phone, vendor equipment, or a field tech’s laptop. It is crucial to identify every remote device that might potentially connect to your network; have a way to both detect that connection, protect that connection, and eliminate the connection if needed.

Threat Detection

Enterprise threat detection uses predictive analytics on a powerful and global scale to recognize and block threats before they happen. Rather than relying on end users to determine the safety of a file or a site, it uses intelligence to stop threats by preventing malware-infected devices from connecting and by blocking phishing sites.

Backup and Data Recovery

Unless you want to be permanently locked out of your data or forced to pay a ransom to restore access, having an offsite backup and recovery service is essential. The email security, endpoint security, and threat detection efforts you implement will prevent many of the ransomware attempts from getting through, but all it takes is one employee clicking on one link in one email that sneaks through to create havoc.

Effective network security that keeps your IT environment efficient and stable is about applying layers. The initial layer is a solid backup and recovery solution, protected by an antivirus solution, and then guarded by a firewall. Enterprise threat detection, email security, and endpoint security are the shields that head off attacks on your business before they happen. It’s more than peace of mind: It’s good business sense.

At thinkCSC, we believe that in order to achieve maximum success, regardless of the size or type of organization, you must make IT an integral part of your overall business strategy and partner with IT professionals who not only understand how to leverage technology to your advantage but who are also committed to understanding your business goals and aligning your IT strategy to them. We pride ourselves on having the best business-savvy technical experts in the industry. If you would like to learn how to create an IT security strategy aligned with your organizational goalscontact thinkCSC for more information.

Small Businesses Are a Big Target

By | Data Security, Email Security

cybersecurityA tech startup in New York lost over a million dollars after they were hacked. Prior to that, the startup had recently earned a lot of money in a funding round. But as soon as the cash had hit their bank account, it was gone, ready to be sent off to bank accounts in Russia, China, and Turkey. This cyber heist was pulled off using software that observed the keystrokes of the CFO and comptroller, which allowed the hackers to obtain banking credentials and then steal the money.

While we would love to say this was a rare occurrence, the truth of the matter is, smaller businesses and startups are a favored target for cyber criminals. Why? Hackers used to target big businesses, but as bigger businesses began to recognize the importance of investing in multi-layer, comprehensive IT security, hackers have turned to smaller businesses that can’t afford (or think they can’t afford) to have the best cyber security.

If you:

  • Operate a business of any size
  • Work with privileged client information
  • Have proprietary business dealings
  • Conduct any financial transactions online
  • Use email to conduct business
  • Store files on your computer system
  • Use a mobile device to access information
  • Connect to public WiFi

– then you are at risk, and so is your business.

Take these steps NOW to protect your business:

  1. Identify where the most important information for your business is stored. Make sure you have automated, off-site backups occurring regularly to make sure you don’t lose information. Make sure whatever is stored locally is protected.
  2. Limit information access to only those who truly need it, and make sure everyone who works with you is trained and regularly reminded about the risk of phishing attacks, ransomware, and malware.
  3. Address security from multiple directions. Yes, you need firewalls and virus protection, but you also need email security, malware detection, and security for every device that is used to access your business.
  4. Take security seriously. The “it would never happen to me” mentality is costly.

It only takes a moment for a criminal to access your data, steal your clients’ personal information, or walk away with your million-dollar investment. Thwart their attempts with a serious and considered look at your business security.

Cybersecurity should be a top concern for every small business owner, and taking the necessary steps to protect your organization must be a priority. Minimizing your risk is easier when you align your business with a trusted managed IT service provider that partners with your organization, understands your needs, and provides customized solutions to ensure that you have the protection you need. thinkCSC is committed to helping you find the most economical solutions to meet their needs. For more information, contact us today.

The Argument for Endpoint Security

By | Communication Security, Data Security, Email Security

endpoint securityAn organization is only as secure as its weakest access point, and certain endpoints – smartphones, laptops, and other portable devices that are often connected to public WiFi hotspots or are apt to be lost – are a weak spot for most organizations.

Endpoints are an easy target. Endpoint security is designed to thwart the most common risks these devices present, by detecting and blocking malware, as well as reducing vulnerabilities while ensuring a sensible balance between protection and user access.

Does Your Organization Need Endpoint Security?

Does your company use mobile devices? Do your employees have the ability to take these devices offsite and off-network? Would a data breach cost you customers, downtime, or lost business? If you answer yes to any of these questions, then endpoint security is something your organization should consider.

Endpoint Security and Phishing Scams

Email security is a challenge for every organization. Your employees, whose split-second decision to click on a link or open a file puts you at risk – are part of the solution. But can endpoint security help you prevent phishing attacks? As part of an overall strategy to implement multiple layers of security designed to block as much malware as possible, endpoint security can work at the device level by:

  • Requiring security and monitoring software that can detect rapid file encryption, even on employee-owned devices used for work
  • Making sure all operating systems used on devices are fully patched and up to date
  • Whitelisting apps
  • Implementing analytics that rapidly detect and block threats

Threats from phishing emails and malware, such as ransomware, worms, and bots, are a constant threat. Proactive measures must be taken to prevent existing and emerging threats, not just on your network and servers but at every point of access as well as through employee training and consistent reinforcement.

As cybersecurity remains a top concern for business leaders in every industry, taking the necessary steps to protect your organization becomes a high priority. Minimizing your risk is easier when you partner with a trusted managed IT service provider who partners with your organization, understands your needs, and provides customized solutions to ensure that you have the protection you need. thinkCSC is committed to helping you find the most economical solutions to meet their needs. For more information, contact us today.

It’s Really Easy to Be Tricked by Spoofed Email and It WILL Cost You

By | Email Security

spoofed email riskHave you ever almost clicked or actually clicked on a link because you thought it came from someone you know? Have you ever almost taken action based on an email you received that you thought was from your CEO? Don’t feel bad – it happens more often than you might imagine. And scammers are becoming very clever about how they go about trying to trick you into wiring money, divulging usernames and passwords, or clicking on links that introduce malware or lock up your system with ransomware.

Spoofed Emails Succeed by Playing on Fear

Spoofed email is one of the biggest security risks to businesses and government organizations of all sizes, and it’s all too common for the spoof to be successful. Unfortunately, spoofed email is successful because it is designed to play on the fears of the email recipient. An employee in your accounting department may receive an email that looks like it came from the CEO, stressing that they forgot to pay an important invoice and to get it done immediately. An executive assistant may receive an email from a “help desk” stating that her email has been shut down for security reasons and she needs to verify her account. The fear instinct may cause employees to act before they are able to think it through and proceed with caution.

Spoofed Emails Get More Sophisticated and More Costly

Because most consumers and email filters have learned to recognize mass spoofed emails as spam, cyber criminals have refined their methods. Spear phishing – a form of spoofing in which the email targets a specific organization and appears to come from someone within the organization who would have logically been one to send the email – has become the most common method of defrauding an organization. The cost is outrageous, with corporations losing an estimated $1.6 million from phishing scams.

Improve Email Savvy

To avoid email spoofing and phishing scams, organizations must enhance their training efforts, advising employees on how to best manage their email. It is essential to provide ongoing training. Recognizing spoofed emails can’t be something you talk about during onboarding and then never mention again.

  • Teach employees how to recognize a faked “from” address and how to expand header information.
  • Teach your staff how to hover over links to verify where it is going to send them without actually clicking on it.
  • Encourage employees to double-check in person with a sender, especially if the request is for money or account information. A quick phone call to a colleague may save you thousands or more.
  • Implement policies that require two people to be involved with any payments or wire transfers.

Improve Email Security

Email security needs to be prioritized by every organization. Small and large businesses are targeted, as are healthcare facilities and government agencies. In addition to implementing a hosted email service that prevents much of the spoofed email from even landing in the inbox, as well as ensuring your compliance with standard security protocols like Sarbanes-Oxley and HIPAA, consider implementing a sender policy framework that makes it less likely that spoofed email will work.

thinkCSC is committed to helping organizations improve security and compliance. If you have been the victim of spoofed emails or would like to learn how to protect your organization from email security attacks, contact thinkCSC for more information.