Discussion and advice about small business data security issues by a 20 year IT veteran of the Michigan IT Services firm Eclipse Consulting.

You KNOW you could have / should have done more to protect your business data… but now it’s too late and your computers have been compromised.

What should you do in the event of a data security breach?

 

1. CALL IT DATA SECURITY PROFESSIONALS ASAP!

Just like a fire or medical emergency, time is of the essence. The attack may still be underway or causing further damage.

  • In the case of a virus or malware, the more people who open the email, the more computers will be infected.
  • Hackers can continue downloading files as long as they have open access. Less than 48 hours after a breach, the attacker will have control of a network – you need to act fast.
  • If the threat is coming from inside the building (an employee or contractor who either inadvertently or with ill intent caused the breach), you’ll want your IT team to be able to clearly see the source of the issue.

You don’t want a junior IT guy giving it his best shot. If you don’t have an experienced IT partner, NOW is the time to find one! (Note, however, that just like calling 911 to summon a helicopter to medically evacuate you off a cliff and into to an emergency room, finding an IT partner during a data security crisis is likely to be both difficult and expensive.)

The risk here is that if you have under-trained IT personnel panicking and changing settings, it may be difficult for your IT team to understand what really happened and diagnose the root cause of the issue. Don’t make the problem any worse than it is. Call in IT Professionals.

2. Assess and contain the damage.

Your IT professionals and senior leadership team need to set aside blame (at least for now) and be in tight communication about what happened and how to proceed in fixing the data security breach.

Hopefully you have a disaster recovery or business continuity plan in place, along with documentation of your passwords and backup of all your systems.

Your damage control team needs to decide:

  1. Is the breach contained?
  2. How severe is the damage?
  3. What steps do we need to take now?
  4. Who needs to know? If sensitive data was exposed, you’re likely legally required to notify those who are potentially impacted and/or government agencies.
  5. How can we prevent this from happening in the future?

3. Take data restoration steps.

Every situation is unique. Some actions need to be taken immediately, while others may happen over the coming days, weeks and months. Depending on what happened, restoration from a data security breach could mean:

  • Restoring files from backup
  • Changing all passwords
  • Taking a system offline until security updates can be applied
  • Paying the ransom on the ransomware (which is a terrible idea, for so many reasons!)

4. Communicate.

First to employees and then to anyone affected outside your organization, you need to clearly communicate:

  • What happened
  • How you’re fixing the issue
  • Any steps those impacted need to do to protect themselves

5. Get committed to data security.

Small businesses are not immune from cybersecurity attacks. With fewer resources to fight and recover from a breach, it’s even more important for you to Integrate security into your platform. One component of our data security offerings is to use Microsoft 365 for:

  • Identity & access management
  • Threat protection
  • Information protection
  • Security management
  • Device and application management

We also believe strongly in user data security training.

Many employees share passwords, not considering the data security ramifications. In over 63% of data breaches, attackers gain access through weak, default, or stolen user credentials.  Your technology and people need to work together to keep your business protected from malicious cybersecurity attacks.

Beyond user training, there are a few other ways you can safeguard your business:

Microsoft 365 for Data Breach Recovery

One of the solutions we use in our data security practice is Microsoft 365, which has all the perks of Office 365, plus advanced security and device management tools. Microsoft 365 helps us both with remote network monitoring, but also for data breach recovery.

Here’s some of what Microsoft 365 can do after you’ve been breached:

  • Automatically investigate and mend endpoint threats
  • Recommend what to investigate and remediate
  • Investigate company-wide emails to remediate threats
  • Visualize a hacker’s lateral movement
  • Recover OneDrive files
  • Remove ransomware

Call Us for Data Breach Prevention

We don’t want to be your 911 IT emergency call. We want to be your day-to-day IT partner who keep your IT systems health and your systems secure with IT services like:

  • Continually monitoring network traffic for anomalies
  • Maintaining backups and testing restore procedures
  • Having a “red book” of system admin credentials and vendor contact information
  • Enforcing IT policies and procedures
  • Keeping hardware and software up-to-date

Don’t wait until it’s too late – give us a call today – 1.586.263.1775.

 

Data Breach FAQ’s

What is the most common cause of data loss?

The most common cause of data loss is hardware failure – make sure you’re always backing up your hardware! Other causes include; human error, software corruption, theft, and viruses.

What happens when there is a data breach?

A data breach puts ALL of your personal and financial records at risk. This makes you vulnerable to identity theft, compromise of customer data, compromise of employee data, loss or risk or intellectual process, and virus attacks.

How to protect yourself after a data breach?

Take data restoration steps: 
1. Restore files from backup.
2. Change all passwords.
3. Take systems offline (if needed) until security updates can be added.
4. Integrate security into your platform.

How serious is a data breach?

A breach in your hardware will always be serious. It can lead to destruction, alteration, loss, or access to all personal data. Assessing the problem ASAP will lessen the blow.

With all the news about data security breaches and malware attacks, businesses are finally starting to take network security more seriously… as they should!

Downtime and data loss can have a devastating impact on a business. Small businesses are not immune from criminals with malicious intent. In fact, 43% of cyberattacks target small businesses because they know they’re more likely to be unprotected.

Protect Your Computer Network

Small business data security is becoming increasingly important. We’ve already covered the importance of tested backup and recovery procedures, two-factor authentication and good password protocols, so let’s turn our attention to business firewalls.

Business firewalls are a critical component of network security, but they don’t seem to be well understood. We get lots of questions from clients, like:

  • What is a firewall? How do they work?
  • Do we need one? Do we already have one?
  • Is firewall software, hardware or both?
  • What’s the best business firewall for our company size or industry?

The basics: What is a computer firewall?

A firewall is a filter between your internal computer / network and the Internet. A firewall stops unauthorized access by closely monitoring network traffic. Security rules define the activities and sources that are allowed and blocked.

A firewall can be hardware, software or both.

Business Firewalls vs. Personal Computer Firewalls

Windows 10 comes with an excellent built-in firewall. Microsoft system administrators can create group policies to manage individual computer firewall settings. However, when a business has an internal computer network and servers, they’ll also need a business firewall.

We’ve worked with various vendors, but when it’s up to us, we recommend WatchGuard Firewalls for a few reasons:

  1. WatchGuard is well-known, reliable and reasonably priced.
  2. Security rules and settings are all kept in one place.
  3. Their solutions scale to meet client needs and budgets
  4. Our team has expertise with WatchGuard solutions.

Firewall security rules

Your business users need to communicate easily and safely with the outside world. Firewalls can manage inbound traffic or outbound traffic, or both. We believe it is best practice to keep all security rules all in one place when possible.

Inbound firewall rules protect your business from external cyber security threats. It scans network traffic to protect against:

  • Malware (viruses, phishing, ransomware)
  • Denial of Service (DoS) attacks that attempt to overwhelm system resources
  • Disallowed connections

Security rules can be set to allow or block specific ports, services and IP addresses. Some companies geo-fence their network, disallowing all traffic from countries like Russia and China.

Outbound firewall rules are less common, but can be used to:

  • Lock down sensitive data
  • Protect from malicious activity by internal users
  • Bar employees from visiting inappropriate sites while at work

Certain applications like Microsoft Active Directory have their own version of filtering that can be used for specialized functions like content filtering of email.

NOTE: If you are unfamiliar with firewall security rules, this is NOT an area to become a do-it-yourself IT professional. Firewalls are not plug-and-play devices, and improper setup can either thwart employee productivity or worse, create leave the cybersecurity door wide open, while giving users a false sense of security.

Firewalls and Anti-Virus Software

Having a firewall in place does not remove the need for anti-virus software. Anti-virus software adds another level of protection, monitoring individual files. Think of the firewall as the walls of your office building, and anti-virus software as security guards roaming through the building.

Firewalls and VPN Access

VPN stands for Virtual Private Network. VPNs are primarily used to allow remote employees and contractors to securely access the internal computer network. They can also be used to protect your privacy online.  The VPN acts like a tunnel that encrypts communications as they’re sent back and forth. Learn more about how to setup a small business VPN and how to allow secure remote access for employees.

Firewalls and Cybersecurity

Business firewalls are part of an overall cybersecurity plan. We put together a self-assessment that will enable you to see areas of risk. If you are looking for new IT Services Provider, please reach out for a free IT consultation.

 

business technology quiz

What is Two-Factor Authentication?

 The most common form of multi-factor authentication is two-factor authentication (2FA). As its name suggests, two-factor authentication combines two different methods to confirm a user’s identity.

In order of security levels, 2FA will ask users for validation by asking for proof of:

  1. Something they know – a PIN, address or answers to secret questions
  2. Something they have. – a card, email, FOB, iPhone, App or USB drive
  3. Something they are – a fingerprint, iris scan, or voice

A common example, in order to use a credit card online or over the phone, you may have to scan the card (#2 something they have) and enter a PIN (debit) or a billing zip code (credit) (#1 something they know). Adding a code sent to your email or mobile phone (#2 something they have) to authorize the purchase adds another level of security.

2FA verification

Good Passwords Aren’t Good Enough

Most websites, subscriptions, and/or apps only require a username and a password. While this is extremely convenient, it creates a data security risk. In a prior article, we covered the importance of good passwords in depth and why small business owners MUST know their logins, but good passwords and good data security practices aren’t always enough.

  • You may give your password to someone, and they share it.
  • You may reuse your passwords, so when one site is hacked, criminals try using those same credentials on bank account and investment sites.

Once someone is in your account, you’ve lost control. It’s like letting a burglar in the house. You can lock the doors after they leave, but it’s too late – they already have all your sensitive data.

stolen credit cards

Two-Factor Authentication Security Levels

The more data security factors you have in place, the more protection you have. But the quality of the factors themselves are also important. Criminals can easily find out your mother’s maiden name. Getting your fingerprint is much harder.

The most common 2FA step right now is to send a code to your mobile phone via email or text. You’ll receive an alert if someone TRIES to get into your account. While this process takes another 15 seconds to validate your credentials, it should be your default setting for:

  • Anywhere you have superuser or admin credentials
  • Bank, financial and investment sites
  • Sites that store sensitive client information
  • Email log-ins. Once criminals get into your inbox, they often find a treasure trove.

Managing Two-Factor Authentication

Your IT Policies and Procedures should require employees to use two-factor authentication for all websites and/or apps that contain sensitive or financial data. If you manage a website for your clients, a software development company (like us) can help you offer this added layer of security for your users.

Another idea is to send links to files instead of attaching files to emails. That way the addressee must be credentialed on the system. This will also help your computer files stay organized!

Request a Tech Check

 

Phishing Detection Is Becoming Harder

Recently I’ve noticed an uptick in very legitimate-appearing phishing emails. One came in as an email from “someone I knew” saying they had a task for me and to send them my personal number so they could reach me. My alarm bells went off because:

  1. The real person already had my phone number.
  2. They had “reached” me just fine through the email – why ask for my phone number?

Upon closer inspection, I could see that the person’s name was there, but the actual email address looked suspicious. One of the reasons we recommend getting an Office 365 or G-Suite account instead of using a free Yahoo or Gmail account is that employee emails are authenticated. We’ve had clients who have accidentally given away private information, mistakenly believing they were giving the information to a co-worker. As you can imagine, this data breach leads to a whole host of headaches.

Phishing Prevention Best Practices

  1. Never give out your email password.

  2. Never send passwords via email.

  3. Never send credit card information via email.

  4. Never send HIPPA or other sensitive information over email.

Email is an insecure platform. Even without hackers being involved, you could mis-type an email address and inadvertently expose sensitive information. Don’t take the risk. The small convenience factor isn’t worth it.

Common Phishing and Malware Scams

Hackers are becoming quite sophisticated, I’ve seen a few good imposters of Microsoft emails lately. Here’s a good example and where to look for clues that the email is not legitimate.

phishing email from microsoft

If you were to open up one of these emails, you expose your network to:

  1. Computer viruses, which are designed to self-replicate by sending an email from YOU to all the people in your contact list.
  2. Ransomware, where the hackers hold your data hostage until you pay them. FYI: Don’t pay them!
  3. Spyware, which will collect information from your computer and send it to the hackers.

How To Identify Phishing Emails

How can you find a phishing email / malware?

  1. Look at the sender’s email address. Usually the sender’s email address will not be a legit email associated with the organization that they are claiming to be from. They may claim to be from a company or a bank or even a friend or coworker, but the email address could have a totally different domain address.
  2. Look at who they are addressing. If they are part of a legitimate company that you work with, they should know your name. If it is a phishing email, it will most likely address you by your email address or a general name such as customer.
  3. Be on the lookout for bad grammar. Many times, there can be small to moderate grammatical errors that could easily be missed when quickly scanning an email.
  4. Be wary whenever someone tries to get you to provide personal information. They may give their own links that do not go where they say they will go, Hover over the link to see the website address. If you’re in doubt, ignore the email. Open a new web browser and login to your account. If a bank, Microsoft, Paypal or other service provider has a special alert, you can get the same information by going directly to their site.

Preventing Phishing and Malware Scams

Anti-virus software, firewalls and other data security solutions can stop most malware attacks, but they’re not infallible. If you open a suspicious email, contact an IT Professional IMMEDIATELY. The longer you wait, the worse the problem can become.

We help clients with data security breach prevention – and post-malware cleanup. Need our help? Give us a call at 586.263.1775 or support@eclipse-online.com.

Small Business Data Security Breach

How to Prevent a Small Business Data Breach

How can you protect your company from a data breach?

Recent Data Breaches

Seems like every time you turn around, you’re hit with news of another major data breach. Just in the last few months:

Ransomware Attacks

We’ve also seen the rise of the threat of ransomware. Ransomware is malware that encrypts your files, making them unusable. You may see an image like the one below

Ransomware Example

data breach via ransomware

In a ransomware attack, the perpetrators promise to unlock your files if you pay the ransom. If you don’t have a reliable, recent backup, you may have no choice but to pay the ransom because everything in your system is unusable – including email, Word docs and databases.

The City of Atlanta recently experienced a ransomware attack where the than attacker demanded a $50,000 ransom. So far it’s cost the city $2.7 Million Dollars and major headaches to restore their system and tighten up their data security settings. Employees have resorted to paper-based applications and manual processes to keep operations running.

You may be thinking…

If these major companies can’t protect themselves from data breaches, how can small businesses expect to?

If you’re a small business, you have a few advantages over major corporations. First, small businesses are less of a target. Hackers go after big businesses because the payoff is big. Additionally, small businesses typically have more control over their IT environment. You actually have an advantage in protecting your data if you follow a few basic data security steps.

What is a data breach?

A data breach occurs when an unauthorized person gains access to your data.  The question is how they were able to access to the data.

The most common data breach causes are:

1.      Malware in email.

A user could click on a link in an email that causes malware to be installed on their computer.  This malware could then allow the attacker access to the computer, which then replicates itself to computers, servers and may even send emails to all the contacts in your contact list (including clients). This malware can slow down system performance, crash your system or display annoying popup ads. See 13 warning signs that your systems have been infected by malware.

Solution: Hover over any link and inspect where that link is going to. When in doubt, go to the company website and login there. For example, if you get an email from PayPal saying you need to update your password, instead of clicking the link in the email “PayPal” sent you, just go to the PayPal website and see if they’re prompting you for a password reset.

Also, be careful about opening any attachments. Computer viruses can be disguised as .PDFs, .XLS and other familiar formats. Have a reputable anti-virus software program installed on all machines at all times. Keep your anti-virus software up-to-date and regularly scan your computer.

2.      Email phishing tricks.

We recently had a user who was tricked into entering their email credentials into a fake web site.  The attacker was then able to login into this mail account.  They would have had access to any email in her mailbox (financials, emailed passwords, etc.).  In this case the attacker used the credentials to send spam from her account, probably trying to infect other systems.

Last year, even a White House officials were tricked into responding to a fake email that purported to be from Jared Kushner, but in reality was sent by an email prankster.

Solution: Adopt Office 365 or G Suite for your business. These solutions come with added security measures that consumer email systems don’t provide. Don’t EVER provide confidential information through email.

3.      Insecure websites.

Attackers can also gain access to servers through insecure web sites.  Once they have access to the website, they can then access any database on the server and the content in the databases.  This could be anything from e-commerce orders to financial or medical information. As an example, Drupal recently released a patch for a major security hole that allowed a virus to execute simply by browsing to a URL. Because WordPress runs about 25% of all websites today, it’s a big target for hackers.  The database, themes and plugins are continually being updated with added security measures. If you don’t apply the patches, you leave yourself vulnerable.

Solution: Companies who have had a web site developed, but don’t maintain it are putting themselves at risk. Website data security best practices create rigor around keeping your database, themes and plugins up-to-date. You’ll also want to ‘harden’ your website security settings and have a strong firewall in place.

4.       Password sharing / password weaknesses.

The easiest way to gain access to your small business software programs is to give someone your password. You may be sharing your password intentionally. Some companies share one password among employees to save money or for convenience. Other times password sharing may happen unintentionally. We’ve seen passwords written on post-it notes stuck to laptops. Now everyone who passes by while you’re working in the coffee shop can get into your systems.

Solution: Don’t share your password. Give each employee and contractor their own passwords. Have strong employee onboarding and offboarding procedures in place. Use a password software program like LastPass or Dashlane to create more sophisticated, and unique passwords for every site.

What about SaaS Software Solutions?

A question we commonly receive from clients is about online data security and the risks of SaaS (Software as a service) solutions. For example, with QuickBooks Online your financial data now resides on a server managed and maintained by QuickBooks. While that may feel risky, studies show that your data is usually significantly MORE secure when managed by a major online software company than when it resides on your own internal server.

Major software vendors like Microsoft and QuickBooks have invested in building sophisticated, multi-layer security systems.  They do all the backups and keep the system up to date. DIY IT Services can be a mistake, costing you more in the long run than you’re saving. If you are considering using a smaller, lesser-known company, you should investigate their data security measures. If you’re not sure what to buy, consult a reputable IT services provider for help in software selection.

What about Cloud Business Application Hosting?

A trend in small business IT strategy is to move your databases and applications from your physical location in your office to a cloud hosting platform like Amazon Web Services (AWS) or Azure. The security measures you need to take are the same, EXCEPT with AWS and Azure, you have the advantage of using their multi-layered security measures, and you’re at less risk for things like fires, flooding, hurricanes and other disasters.

Most data breaches are preventable.

Following these simple steps you can avoid most data security breaches.

Small Business Data Breach Security Steps

1.       Train employees to be wary of suspicious emails and websites.

2.       Don’t share passwords.

3.       Change your passwords frequently and make them hard to guess.

4.       Keep your software programs up to date.

5.       Keep your website up to date.

6.       Routinely use anti-virus software, firewalls and other data security measures.

7.       If you don’t have IT staff, hire an outsourced IT services company to keep your IT environment secure.

8.       Have backup and recovery procedures in place. If you need to restore your data, you can.

What if you get infected by a computer virus, ransomware or other malware?

Act IMMEDIATELY.

The quicker you can respond, the more likely it is that you’ll be able to thwart your attacker. Your employees should know who to go to in the event of a data breach. Seek the help of IT Support for malware removal, and just as importantly, close the security holes that caused the data breach in the first place.

If you need help, give us a call at 586-275-1775!

Request a Tech Check

Know your logins

Whether you outsource your technology needs to an IT services partner or you have internal IT support, as the small business owner, you are the one responsible for keeping the business running.

That means you need to know your logins, even if you never plan on using them. Read more

disaster recovery planning

Hurricanes. Floods. Fires. Tornados. Natural disasters remind us that we can’t control everything. What we can control is how we prepare in advance and how we respond afterward.

Read more

small business data security breach

According to to the Privacy Rights Clearing House, over 900 MILLION records have been compromised in 7,283 public data security breaches since 2005. While that number may seem HUGE, it’s actually a gross underestimation, because that figure does not include private security breaches.  Read more

Setup a Small Business VPN

Will ISPs sell your data?

Last week Congress voted to allow ISPs to sell your data.  This news has people in a panic, concerned about what the ISPs can or will share.  Some sites, like Motherboard, predict a data pilfering free-for-all, proposing that information shared may include:

“Financial and medical information. Social security numbers. Web browsing history. Mobile app usage. Even the content of your emails and online chats.”

Other sites give us some reassurances that ISPs would show more restraint and that this rule change was only created to enforce consistency.  Wired magazine’s article, “Big Cable’s Case for Selling Your Data Doesn’t Hold Up” argues that you get what you pay for. Just as Facebook and Google offer free services, but “FREE” comes at the expense of being able to collect information and use it to serve up targeted advertising.  While this measure is flawed, creating consistency and clarity of the FCC rules would actually be a good idea.

In response to this ruling, Minnesota has already voted to pass internet privacy protections and other states will likely follow suit.

Don’t panic. But take data security precautions.

As a consumer, you’ll of course want to protect your personal devices.  But be cautious.  Reports show that up to 38% of Android VPNs on the Google Play store are plagued with malware. According to the Hackread article, the 10 worst VPNS are:

  1. OkVPN
  2. EasyVPN
  3. SuperVPN
  4. Betternet
  5. CrossVPN
  6. Archie VPN
  7. HatVPN
  8. sFly Network Booster
  9. One Click VPN
  10. Fast Secure Payment

Businesses need to take even greater data security precautions.

Businesses have all the same concerns as consumers, PLUS more. Leaking information could reveal:

  • Trade secrets
  • Pricing information
  • Client email addresses and private information
  • and much more!

That’s why many larger businesses (especially those in finance, health and other industries with compliance regulations) insist that remote employees exclusively connect through a VPN.

What is a VPN?

VPN stands for Virtual Private Network.  Basically this technology allows users who are on a public WIFI to create a secure, direct connection between the remote device and the main office server. Think of it like a tunnel, where all of the data that travels through this tunnel is encrypted. No one, except the VPN server IT administrators can see this data, not even your ISP.

How to setup a Small Business VPN

For small businesses, VPNs are frequently setup using software. Larger businesses often use VPN hardware that comes with additional functionality for data load balancing and a hardware firewall.  Whichever you decide – VPN software or VPN hardware – you’ll want to ensure you do all the steps to set up your VPN correctly. Setup is critical, and when done incorrectly will compromise the entire point of having a VPN.

Popular small business VPN software programs include:

·         Windows Server comes with built-in VPN software.

·         Vyprvpn

·         Hamachi VPN [AM8]

·         OpenVPN

All of these VPN software programs are well vetted. Which VPN solution is right for you? Well…that depends – on your IT environment, the number of users you plan to have on the system and the level of security you want to achieve. If you’d like our advice and are interested in having a professional IT team  set your VPN up for you, please schedule a free 30-minute call with one of our technical specialists.

VPN Consultation

Dropbox security for small business

The Danger of Dropbox

…and OneDrive, Google Drive, Box, etc…

Cloud-based file storage is a real asset to businesses today.  Clients and colleagues can easily collaborate on documents. Files can be accessed from any device. And backups happen automatically.  Read more