Monthly Archives: February 2017

Cloud Backup Protects Small Businesses from a Rainy Day

Most small businesses aren’t backed by angel investors or the deep pockets of venture capitalists. They’re financed by their founders, gifts and investments by friends and family, loans from a neighborhood bank, and the owners’ personal credit cards. These companies don’t have the resources to cope with a disruption in their cashflow.

One report found that downtime costs small businesses $55,000 in income every year; that doesn’t even account for the cost of paying employees who can’t work without access to systems or paying them overtime to catch up when systems come back online.

The loss of income associated with an outage can even drive a small company out of business. That’s why it’s important to view data protection as a means of protecting not just your data, but protecting your business.

Even small disasters cause big problems

Natural disasters don’t have to be big enough to draw national news attention to cause big problems for small business. A minor windstorm can down branches and knock out power, shutting you down for a day. A water main break can flood the streets, making it impossible for your employees to get to work.

Either way, without a plan, your data may not be available or your employees may not be able to get to it.

Small businesses are targets of hackers

Your data may also be at risk due to insecure computers at the office. Small businesses aren’t too small to be the targets of hackers. In fact, because small businesses often don’t invest in strong defensive measures, they’re a popular and vulnerable target. One security vendor’s study found that more 40 percent of phishing emails targeted small companies, with trends showing an increasing focus of attacks at small businesses.

A ransomware attack can literally leave you unable to access your data. These attacks encrypt your data, making it unreadable without a key—which the attacker will happily provide, if you pay their ransom. Organizations including hospitals have been forced to pay up to recover their data.

Cloud backup makes data always available

Many small businesses don’t even create data backups, or have never tested restoring from backups, considering it too complicated. It’s simpler to use a cloud storage service like Mozy by Dell, which makes files available from anywhere. With cloud backup, local disasters don’t prevent you from accessing your data. Backups can happen automatically, even throughout the day, and the cloud provider makes sure full security measures are in place to protect your files. If your local data becomes inaccessible, whether because of a natural disaster or ransomware, you can always access a good copy of your files from the cloud.

Viewing the cost of data protection as a cost of doing business is more cost effective than paying for emergency services that cost more and may not be able to recover all your data. With cloud backup, no matter what the weather outside, you’ll always be open for business.

What You Need to Know About Phishing


Social engineering scams that use email or websites into tricking users to reveal personal information or install viruses on their devices are known as phishing scams. Phishing scams can look like bank emails, or other corporate communication, and are crafted to fool the users into believing that it is a legitimate message.

The content of a phishing email is intended to cause a quick response from the user. One common scam will try to convince you that you’ve won a lottery or a prize, with a link similar to a website you already know of. This page will then ask for your personal information, which you will happily provide because you think you’ve won money.

Types of phishing attacks

There are three types of phishing attacks that you need to be aware of:

Regular phishing: These attacks are not targeted, and attempt to manipulate the user to click a link where they will enter their credentials. This is a generalized attack and no “one” person is a target.

Spear phishing: These are targeted attacks. The attackers have studied the organization or person they are trying to defraud, and will usually try and impersonate one or more parts of that organization. They may use social media to find information about the organization, and use it to create an email that will convince the reader that it is from their own business.

Whaling: This doesn’t refer to hunting for whales, but instead phishing the upper management of an organization. Done in the same manner as a spear phishing attack, it targets the highest level of the organization and often includes messages that request transfers of large funds.

How to identify phishing attacks

According to Intel Security, 97% of people cannot identify a phishing attack. Here’s how you can be prevent becoming a victim.

Don’t trust email communication: We have been trained to use email as the main mode of communication, and as far as it does not require you to divulge personal information, that is fine. Treat with care any email that asks you to click on a link, or provide personal information. Even if you receive an email from what seems like your own company, asking you to make a fund transfer, just confirm verbally with the relevant person to ensure this is not a scam.

Don’t fall for emails that sound urgent: Many phishing emails attempt to scare you into believing you need to respond or react urgently, but you must take the time to confirm that the email is from a legitimate source before responding.

Confirm links before you click on them: When you receive an email that seems legitimate with a link for you to click on, go to the actual website and then navigate to the relevant page. At the very least, always confirm that there isn’t a minor change—for example, BankofAmerica vs BankAmerica—that is meant to fool you.

Beware of online forms: Do not enter confidential information through online forms or websites. But if you have to, make sure all data you submit is done via a secure connection; that is, https. This is especially important when entering credit card information online.

One of the most important things to remember is to report a suspicious email to management immediately. Only 3% of targeted users report malicious emails to management, which is scary when you consider that 95% of all attacks on enterprise networks are due to a successful phishing attack.

What if there were a real-life data protection superhero?

Silicona sinks down in her leather armchair, and throws her feet up on her creaky wooden desk. It’s been a long day. Nearly 1,000 terabytes were recovered today. Her phone buzzes with texts: You saved us, Silicona and We are eternally grateful for your work. She watches as her screen lights up rhythmically with new messages. Her skin is sunburned, and her combat boots are dusty from the dry Nevada desert. Her fingers are still shaking from inputting so many different coding strokes. Back home in Oakland, California, none of that matters now. She just saved one of the most highly protected government programs from detrimental exposure.

This wasn’t the first time Area 51 had called upon Silicona. Back in 2013, the United States Air Force facility had asked her to stop a totally different security breach. A hacker had siphoned nearly every top secret file on a new aircraft aimed for extraterrestrial territory, and the Central Intelligence Agency was on the brink of being fully exploited. The National Security Agency had their own team of highly-trained technologists who could trace and capture cyber culprits, yet, none of them rivaled Silicona.

Raised in an airstream in a remote town on the coast of North Carolina, Silicona was far from your typical tech geek. She was born with the innate ability to interpret computer language at lightning speeds. Graduating from the Massachusetts Institute of Technology at 16, Silicona soon became  primed to save governments, businesses, and individuals from data hacks. Time and again she reversed malicious data infractions and kept information that could set the world on its head safe and secure.

This time a hacker had nearly released hundreds of documents depicting Area 51’s latest venture, a fighter jet with speeds up to 3,000 miles per hour. Silicona had used her self-developed detection software to pin-point the hacker’s exact location, and powered up her interloper to permanently shut down their computers. Silicona never gave away her software or protocol. This is what made her so valuable to government agencies across the globe.

Text messages continued to cascade through her phone, including one from United National Secretary, General Siobhan Gutierrez: Amazing work, Silicona. Please call when you’re able. We might have another situation on our hands. Although it was late and Silicona was exhausted, she was worried about what Gutierrez meant. She had no idea Gutierrez even knew about the Area 51 hack. In her pajamas, Silicona made a vermouth cocktail and gave her a call.

“Hello, Ms. Secretary-General. It’s Silicona.”

“Thank you for calling me so late. We have a dire situation on our hands. I’ve been hacked. All of my files are gone.”

“Ok, did you search through any external hard drives?”

“Everything.”

“Let me see. What’s your computer’s serial number?”

Gutierrez read over her computer’s information and Silicona locates the problem.

“Ms. Secretary-General, you have too many files. You computer’s overloaded. When this happens, your computer freezes over your data to prevent you from adding anything else.”

“Oh. This is embarrassing.”

“You know, Mozy by Dell has a cloud backup solution to protect all of your information just in case something like this happens again. It’s what I use to back up my data.”

“You’re the best, Silicona. Thank you again.”

 

Note: Silicona is make believe. Mozy by Dell is for real. Real data protection for real threats to your important files, including ransomware.

 

HIPAA and You: What It Is and Why It Matters

Adopted in 1996, the Health Insurance Portability and Accountability Act (HIPAA) was designed in part to facilitate the transfer of health insurance for citizens after leaving an employer, and to address the growing need for regulation and oversight of electronic protected health information (ePHI), also called individually identifiable health information, via the Privacy Rule. HIPAA is a substantive and often confusing piece of legislation, leading many companies to wonder if it applies to their business, what’s expected of them and how regulatory standards are enforced. Here’s a rundown of key HIPAA expectations and why they matter to your organization.

Who’s affected

First step? Determine if you’re subject to HIPAA regulations. As noted by the CDC, there are two key groups defined by the law: covered entities and business associates. Covered entities (CEs) consist of health plans, health-care clearinghouses and health-care providers. These CEs are responsible for appropriately handling ePHI by ensuring that an accurate record of all use and transmission exists, that all data is properly encrypted and that access is restricted to specific individuals such as patients, doctors or insurance providers.

The second group, business associates (BAs), are third-parties that work with CEs and occasionally handle health data. These may include lawyers, accountants, billing companies or IT developers, and are required to sign a written agreement with CEs stating that they will properly handle health data, use the information only for stated purposes and help the CE comply with certain aspects of the Privacy Rule.

Provisions

If your company is considered a CE or BA, how do you ensure HIPAA standards are being met? The Privacy Rule lays out several obligations, including:

   •     Notification of patients regarding their privacy rights and the specific use or disclosure of their ePHI.
   •     Adoption of internal privacy policies and procedures to prevent misuse.
   •     Training of employees to ensure they understand their role in using and transmitting ePHI.
   •     Creating contracts with BAs which specify their use and responsibility in safeguarding information.
   •     Establishing administrative, technical and physical safeguards—such as data access policies, data encryption and          long-term storage in secure facilities—to ensure information privacy.

Worth noting is that willful ignorance of the rule does not constitute an acceptable reason for compliance failure. For example, this means BAs using unencrypted data cannot claim that the relevant CE did not mandate this procedure—companies are expected to know and follow the rules if they handle health data.

Enforcement

HIPAA requirements are now being enforced with greater regularity and rigor by the Office of Civil Rights (OCR). Through 2016 and into 2017 the agency’s focus has centered around audits, both to evaluate the use of health documents and ensure companies can produce the necessary records to demonstrate the transmission and encryption of relevant data. Expect more in-depth audits to continue over the next few years.

The OCR has also been levying more fines for non-compliance. For example, a “Did Not Know” violation can cost between $100 and $50,000 for the first offense, while “Willful Neglect” (subsequently corrected) starts at $10,000. More worrisome are identical violations in the same calendar year: For any subsequent offense, the fine is set at $1.5 million.

Why does HIPAA matter to your business? If you’re a CE or BA under the law, you’re responsible for the security, storage and use of personal health information as described by Privacy Rule stipulations. Audits are becoming more common, and steep fines are the outcome if compliance standards are not met. Best bet? Leverage the expertise of trusted HIPAA security partners who can help you meet obligations and adapt to evolving HIPAA regulations.