How safe is your data when your staff works from home?

The Coronavirus crisis has changed the world as we know it. With social distancing, lockdowns and work from home becoming the new normal, cyber criminals are exploiting the situation to their gains. This whitepaper discusses how the cyber crime landscape is likely to shape up in the post-pandemic world and how businesses can safeguard themselves against it.

One of the reasons for a sudden spike is cyber crimes is the work-from-home model that is increasingly becoming the norm. When you allow remote access to your data, you are virtually opening your IT infrastructure to criminals–unless you have the right security measures. It is easy for malware and hackers to get into your system and corrupt it unless you have the right measures in place.

With employees operating from home, there are a lot of loopholes that cyber criminals target. Some of them include

Lack of knowledge

Most employees don’t realize how their simple actions or non-actions can contribute to a cyberattack that can bring your whole business down. For example, they may unwittingly end up compromising on your business’s data security by sharing passwords, not using a good antivirus software or using the public WiFi to access their emails, etc.,

It is more difficult to oversee IT operations

With teams working remotely, it is difficult for businesses to manage their IT efficiently. Installation of security patches, anti-malware tools, data backups, etc., are all more difficult now.

Working from home offers businesses a lot of benefits in terms of cost savings, employee satisfaction and flexibility. But, it also raises a lot of questions from the IT security perspective. When opting for the work-from home model, it is important to clearly define the IT policies and put them into practice. You could partner with an MSP who specializes in cybersecurity and remote workspace management to help you formulate a safe, remote working environment.

4 things to do to ensure your business continuity planning is a success

Working on creating a contingency plan for your business? That’s great! Here are 4 things you need to consider when preparing your new business continuity plan.

Audit of your business continuity plan

Having a business continuity plan alone is not enough. You need to audit it at regular intervals to ensure it is up-to-date and relevant. Often, business continuity plans aren’t used for years, and may be obsolete or irrelevant by the time an actual emergency occurs.

Creating a team for business continuity

Constitute a team for your business continuity project. Decide who will take ownership of implementing the business continuity in the event of an emergency. Break down the business continuity plan into smaller elements and decide who is responsible for each of them. Also, remember to designate a back up for each person in the team.

Mock Drills and Dry Runs

After your business continuity plan is ready you need to check if it really works. A dry run will tell you if it is really effective and also point out to loose ends, if any, that you can fix before the actual emergency.

Don’t forget a debrief

In case you do end up using your business continuity plan, make sure you do a debrief. It will help you determine the effectiveness of your business continuity plan. The brief should focus on identifying the losses you incurred from the disaster, the time taken for implementation of the business continuity plan, the key positives of implementation of your business continuity plan and also offer suggestions, if any for improvement. Irrespective of the size of your business, business continuity planning is indispensable. Bigger companies often have their own staff (IT as well as non-IT) for business continuity planning, but for SMBs to have their own business continuity planning team can be a bit of a strain on their resources. Consider teaming up with a MSP who is experienced in disaster recovery planning, so you don’t cut corners now to regret later.

What are the essentials of a business continuity plan?

An unexpected emergency can wipe out your business! A business continuity plan can help it survive. But, what should a good business continuity plan cover? Read this blog to find out.

A list of your key contacts

One of the most important elements in your business continuity plan is a list of all your important contacts who should be informed of the disaster. This can include all your C-level execs, HR managers, IT Manager, client facing managers, etc.,

A comprehensive list of your IT inventory

Your business continuity plan should contain a list of all the softwares, apps and hardware that you use in the daily operations of your business. This list should identify each of those as critical or non-critical and mention details pertaining to each of them such as

  • The name of the app/software
  • Version/model number (for software/hardware)
  • Vendor name and contact information for each of them
  • Warranty/support availability details
  • Contact information for customer support for these hardware/apps
  • Frequency of usage

Backup information

Data backups are critical to your disaster recovery and so your business continuity plan should include information about data backups. It should mention how often data is backed up, in what formats and where. It should also mention what data backups are available–ideally, you should be backing up ALL data already!

What’s your Plan B?

Make sure your business continuity plan lists a backup operations plan that will come into play in the event of a disaster. Examples include alternative workflows such as options to work remotely or to allow employees to bring their own devices to work (BYOD) until the time regular business premises or systems are ready.

Floor plans and location

Your business continuity plan should also include floor plans of your offices with the exit and entry points clearly marked up, so they can be used in the event of any emergency. It should also mention the location of data centers, phones, key IT systems and related hardware.

Process definition

Make sure your business continuity plan defines the SOPs to be followed in the event of an emergency.

Think business continuity planning is too complicated? Don’t give up! A lot of SMBs, don’t create a business continuity plan thinking it is too much of a hassle. But this can prove fatal to your business later. A qualified MSP can help you understand business continuity planning and even help you create a business continuity plan that’s best suited for you..

3 Reasons to prepare a business continuity plan if you haven’t done so already

A business continuity plan is the blueprint you need during an emergency to keep your business running smoothly. If you don’t already have one, here are 3 key reasons why you should focus on creating one ASAP.

It helps retain clients

As a business, if you have problems functioning, it will definitely affect your clients. For example, if your servers are down or your supply-chain mechanism is affected or your delivery process breaks, you won’t be able to fulfill your promise to your clients. Even worse, in some situations you may not even be in a position to communicate about the crisis to your clients adding to their frustration. A business continuity plan addresses these issues beforehand and can help reduce client dissatisfaction.

Salvaging brand image and reputation

There are certain events that end up affecting only your business. For example, ransomware attacks, virus attacks, data leaks, etc., Having a business continuity plan that caters for such events can be a blessing in times of such crisis.

Minimizing revenue loss

A business continuity plan can minimize the revenue losses that occur as a result of a crisis that interrupts your business operations.

In short, a business continuity plan helps minimize the impact of the crisis on your client relations, your brand image and your revenue by equipping you with a plan to handle the situation better.

Business continuity planning: A must-have, not a luxury

Business continuity planning: A must-have, not a luxury

Business continuity planning is not an alien concept anymore. In recent times we have witnessed a lot of events that only serve to further intensify the need for business continuity planning. Examples include natural calamities like hurricanes, floods, wildfires, events like terror attacks or even pandemics like the recent Covid-19 outbreak.

While a business continuity plan cannot completely safeguard your business from all these events, it can certainly minimize the damage inflicted on your business. Top business consultants urge their clients to develop a business continuity plan as they consider it a part of the best practices for running a business. A business continuity plan can make the difference between survival and shutdown of a business during a crisis situation.

What is business continuity planning?

Business continuity planning is the process of creating a blueprint that helps your business respond and recover effectively from an unforeseen mishap. As discussed before, the unforeseen event could range from natural disasters to pandemics, or even accidents that affect just your place of business like a fire or even a cybercrime attack directed at your business in particular–basically, any event that can paralyze your business. A business continuity plan serves as a step-by-step guide that you can follow during an emergency to keep your business running smoothly.

True, a business continuity plan is not a sure shot method to survive a crisis, it won’t instantly eliminate the impact of the disaster, but it gives you the best chances of survival. If you are not sure of what a good business continuity plan entails , you can reach out to a reputable MSP to help you with the preparation and implementation of one.

Cyber hygiene: The key to your business’s good cyber health

We all know that basic hygiene is a must to lead a healthy life. Did you know that the same rule applies to IT as well? There’s something known as cyber hygiene that plays a key role in keeping your business healthy from the IT perspective. So, how do you ensure your business doesn’t fail when it comes to cyber hygiene? Here are a few tips.

Follow industry benchmarks and standards

Remember that if an IT practice has gained industry-wide recognition and adoption, it is because it certainly offers some benefits. Protocols like the HTTPS implementation, SSL security certificates, CIS Benchmark, etc., are examples of industry standards that you must follow to maintain good cyber hygiene. Following these standards enhance your cybersecurity quotient and also play a positive role in helping you win your customer’s trust.

Stronger IT administration

The role of an IT administrator is very critical in any organization. IT administration involves exercising control over most of the IT activities with a view to ensure the security of your IT environment is never compromised. Make sure your IT admin rules and policies are clearly formulated and covers everything including-

  • Clear definition of user roles
  • Permission levels for each user role
  • Restrictions regarding download/installation of new software
  • Rules regarding external storage devices
IT Audits
Conduct regular IT audits to spot vulnerabilities and gaps that may threaten the security of your IT infrastructure. During the IT audits pay special attention to-
  • Outdated software or hardware that is still in use
  • Pending software updates that make an otherwise secure software vulnerable
Fix what you can and get rid of what is too outdated to be made safe.Password policy adherence

When it comes to cyber hygiene, passwords are the weakest link as often, people compromise on the password policy for convenience’s sake. Here are a few things to look into at the time of your IT audit to ensure your password policy is being adhered to.

  • Check if passwords are strong enough and follow the standards set for secure passwords
  • Discourage password repetition or sharing
  • Ensure multi-factor authentication, where apart from the password, there is at least one more credential, such as a secret question, a one-time password (OTP) sent to the user’s mobile phone, or a physical token or QR code, to verify and approve data access
Ensure basic security mechanisms are in place
As a part of your cyber hygiene check, ensure you have all the basic security mechanisms in place. These include
  • Anti-malware software programs
  • Firewalls
  • Data encryption tools
  • Physical security and access control tools like biometric access

Pay attention to what happens with obsolete data

How do you get rid of data you no longer need? Even though old data may not be of any use to you from the business perspective, a breach of that data can still hurt you legally. Ensure you get rid of old data safely. It is a good practice to deploy data wiping software and also create policies for the safe destruction of physical copies via shredding or other methods.

Strong cyber hygiene practices can keep your data safe from cybercriminals lurking out there. However, consistently following up and ensuring these best practices are being adhered to, can be taxing on your internal IT team. It may be a good idea to bring an MSP on board who is well versed in cybersecurity to assist you with cyber hygiene.

Free Internet Access? Don’t fall for this one

One of the popular internet scams that has been doing the rounds since 2017 is the one about “Free Internet”. This scam seems to resurface and somehow manages to claim quite a few unsuspecting victims. Here’s how they catch you.

  • Ads are created on Google, Facebook, popular search engines and social media platforms advertising free internet hours.
  • The ads look professional and show up on general searches and on social media when surfing. This offers a sense of validity.
  • Once you click on the ad, you will be taken to their website, where you will be asked to perform an action, such as
    1. Filling out a form with your Personally Identifiable Information (PII)
    2. Sharing your credit card information, and though you will be promised that your card won’t be charged, you may end up signing up for something or subscribing to a service for which your card will be charged later.
    3. Sharing a few email IDs or phone numbers–basically contacts with whom you will be asked to share the message in return for free internet service.

How to stay safe?
As always, remember no one offers something for free. Whether it is free internet access or tickets to a concert, if it is something of value, then you will be expected to provide some value in return. Steer clear of offers that seem too good to be true. If you receive a message from someone you know and trust, please let them know that their link may be a problem. No matter what, don’t open a link from anyone if you aren’t entirely sure the links are valid.

Online shopping? Watch out for these red flags

Who doesn’t like online shopping? Online shopping has opened up a whole new world to us. Get whatever you want, whenever you want, without wandering from store to store. It doesn’t matter if it is too hot to venture outside or if there’s a blizzard out there, you do your shopping from the comfort of your couch and the stuff at your doorstep. You get great deals, some are better than in-store specials. But, did you know cybercriminals love the concept of online shopping as much as you do. Cybercriminals are exploiting the growing popularity of online shopping to cheat unsuspecting buyers through techniques such as phishing, malware injection, etc. Here are a few tips that may work to keep you safe from being a target of cybercriminals as you shop online.

How to determine if the ad or shopping site is genuine?

As you browse the web, you will come across various ads targeted at your interests. Businesses engage in ‘Retargeting’ which means they use cookies to target you with very specific ads until you buy something. For example, look at a wallet and, you will see ads for wallets on various other sites you browse even if they are not shopping sites. Are those ads genuine? Before clicking on any ad you see online and making a purchase, be sure to verify if the ad is genuine. The same goes for shopping sites. Before you shop, you need to ensure the site is genuine, especially since you will be sharing your credit card details or Personally Identifiable Information (PII) such as your address. Here are a few things to check before you make that online purchase.

English: Keep an eye out for grammatical errors or spelling mistakes in the ad. Fake ads and sites may look a lot like the actual ones, but spelling mistakes or grammar errors may tell the true story. Scammers don’t have content writers to write great sales content!

Check the URL: When at a shopping site, always check the URL in the address bar to ensure it is genuine. For example, if you see www.1amazon.com or www.amazon-usa.com, you should know it is not the same as www.amazon.com. Checking the URL also lets you detect website cloning and phishing. Website cloning is one of the most popular methods used by scammers to fleece consumers. As the term suggests, the cybercriminal first creates a ‘clone’ site that looks exactly like the original one, barring a very minor change in the URL.

Don’t Get Phished!

Phishing is when you receive a message, usually through an email or a text message asking you to take an action, such as clicking on a link, filling out a form, logging into an account, etc., Such messages look as though they are genuine. But, the form fill, account login, or link will take you to a spurious site where your information will be captured for bad use. Checking the URL will help you detect phishing frauds as well.

Check before you download anything: Sometimes you may receive a link and asked to download a coupon or a gift card that entitles you to a sizable discount. It may be a fraud. In fact, it probably is.

Download only from legitimate marketplaces: With so many shopping options it is tempting to download every new app that you come across. But, only download from authorized marketplaces like Google Play Store for Android or the App Store for iOs.

At the end of the day, remember, there is no free lunch. If something seems too good to be true, it probably is.

DNS Cache poisoning: What every SMB must know

In one of the most common poisoning attacks, the attacker poisons the DNS Cache with the aim of leading visitors to a fake website. In a DNS cache poisoning case, the attacker gains control of the DNS server and then manipulates cache data such that anyone typing the URL of the actual website is redirected to the fake one. This could be a phishing site where the attacker would have carefully laid out a trap to capture the unsuspecting victim’s personal data or secure information. For example, the visitor thinks they are logging into their bank’s website online, but are actually on the attacker’s phishing site, where they enter the login credentials.

Protecting yourself against DNS poison attacks

Here are some ways to protect yourself and your customers from becoming victims of DNS poison attacks.

  1. As discussed before, one of the most common poisoning attacks is the DNS attacks. Cybercriminals try to corrupt your DNS server using theirs. You can prevent this by bringing a trained professional onboard for your DNS server set-up. An expert will know to set up your DNS server such that it has a minimum relationship with other, external DNS servers, thus limiting your attacker’s ability to corrupt your DNS server using theirs.
  2. As a best practice, ensure that your DNS servers only store data related to your domain and not any other information. It is harder to corrupt the system when it focuses on a single element.
  3. Another best practice is to ensure that you are up-to-date on all DNS security mechanisms and are using the most recent version of the DNS.
  4. Ensure your site has, in layman terms, an SSL certificate and make sure it is HTTPS. Using encryption, a site with HTTPS protocol allows for a more secure connection between its server and the internet and is better at keeping cybercriminals out. Having an SSL certificate also ensures your site’s name shows up alongside the URL in the address bar. This is an easy way for visitors to identify if they are on a genuine site or not, thus helping them steer clear of phishing attacks and clone sites.

Data poisoning is one of the lesser-known and hence less talked about forms of cybercrime. But, it can inflict great damage–perhaps even more damage than the other obvious threats such as viruses and ransomware, because, unlike a Denial of Service (DoS) attack or a Ransomware attack where you know the moment the malware has hit your system, in a data poisoning attack, the malware is incorrect data that slithers into your system quietly like a snake and changes its overall functioning before delivering the big blow.

Protecting yourself against poison attacks

Data poisoning by way of logic corruption, data manipulation and data injection happens when the attacker finds a way to access your data set. The kind of poison attack varies depending on the level of access the attacker is able to achieve Here’s what you can do to ensure such access is prevented.

    1. The data poisoning attacks discussed above adversely affect your IT system’s machine learning capabilities. So, the first logical step would be to invest in a good machine learning malware detection tool. These tools are different from the typical anti-malware tools you get in the market and are specifically designed to prevent machine learning capability poisoning.
    2. Always follow general IT security best practices such as-
    1. Training your employees to identify spam, phishing attempts, and possible malware attacks
    2. Following good password hygiene, which means never sharing passwords and only using passwords that meet the required security standards
    3. Having a powerful IT audit process, tracking and version control tools, so as to thwart any possible insider attacks
    4. Ensuring the physical security of your IT systems by way of biometric access, CCTV systems, etc.,

Whether it is data poisoning or a malware attack, you certainly don’t have the time to look into all the security aspects yourself. Even if you happen to have an in-house IT team, this 24/7 monitoring may be too much for them to handle as you grow. Consider bringing a reputed MSP on board to help you with this, so you can focus on your business, worry-free, while they ensure your data is safe.