National Cyber Security Awareness Month

Posted on: October 28th, 2017 by jiml | No Comments

October was National Cyber Security Awareness Month. Here at Colden Company we are trying to do our part to raise awareness through webinars, social media posts, and other communications. We often say here at Colden Company “If you are running your business the same way you were three or four years ago, you are not staying the same, you are falling behind.” This saying was originally intended to apply to technology because technology is continually advancing; if your business is not taking advantage of it, your competition likely is. The saying is also particularly appropriate for data security. The threats facing your business are not staying the same; they have increased in both number and complexity over the years. We do not think anyone reading this would disagree with that point. In conjunction, your defenses should also be improving to combat the increasing threats. If you are using the same defenses you were three or four years ago, you are not staying the same, you are falling behind the data security curve and, most importantly, exposing your business to more risk.

Raising awareness to cyber security concerns is a worthwhile exercise. However, it seems like we are running the risk of desensitizing people to the risk by continual bombardment of this breach and that vulnerability that appear on the nightly news. Not all vulnerabilities are equal in size and scale and some judgment needs to be used to inform the public of the risks. Having said that, the risks are real. Cyber criminals have, unfortunately, been wildly successful with certain hacking campaigns like ransomware, which has lined their pockets with millions of dollars (and in some cases tens of millions) which they are using to perfect their craft. Hacking is a business and it is big business – make no mistake about it.

As a business, you may read about the latest breach and think to yourself “Here we go again. I can’t stop it so why worry about it.” We understand that sentiment. The question we would pose is “If you could stop a data breach at your business, would you?”. It’s true that there are many different threat vectors that hackers can use to attack your business. Why not spend time and effort blocking the most common ones? There are things you can do without breaking the bank to further protect your business. Incremental improvement may just save the day and prevent a breach.

When a hacker probes your business for a vulnerability and your business is protected from it, do you know? In most cases, the answer is no. Hackers use sophisticated programs to probe networks and attack the ones that are vulnerable and leave the ones that are not. This makes proving return on investment (ROI) for security a much more difficult number to show. How do you show ROI on something that did not occur? We can only do so, by citing the costs of breaches that have occurred.

Hacking attempts and breach attempts happen on a much more regular basis than you may believe. It is almost a certainty that your business was targeted at some point in the last year. The frequency with which this type of activity occurs would surprise most. We see more of this because it is our business to protect our customer’s critical data and we have tools in place to monitor and report on certain types of attacks. Unfortunately, the business that have with the best security measures in place are often the ones who had a security breach or had some type of security scare. It is analogous to buying the home security system after the break-in; you don’t want to go through that experience again, so you prepare.

So, in closing, I ask you to do this. Tomorrow morning when you wake up, pretend you just got a phone call from a staff member who told you there has been a data breach at your business and data has been compromised or lost. What would you do? How would you feel? If you would like to avoid that feeling, take the time to improve your data security to keep pace with the increasing threats. After all, if you are staying the same, you are falling behind.

Give our certified security experts at Colden Company a call at (888) 600-4560 or email us, or visit us on Facebook or Twitter.

Top Ten Myths of PCI Compliance

Posted on: September 27th, 2017 by jiml | No Comments

Hackers WANT your credit card data. They WANT your customer’s credit card data. They will try hard to get it. They will NOT stop. These are unfortunate truths.

In 2006, MasterCard, Visa, JCB, American Express, and Discover established the PCI Security Standards Council, a 3rd party entity, to manage the Payment Card Industry security standards and to promote the standard’s implementation by all companies (i.e. merchants) that accept credit/debit cards including all:
Retail merchants: Any business that operates in a storefront location, where the customers’ debit and credit cards are physically swiped through the payment terminal.
Internet merchants: Any business being run online. It allows businesses to collect and process credit and debit card information from their e-commerce website.
MOTO (mail or telephone order) merchants: Any business that operates by taking payments via the telephone and/or direct mail

Even if you process one credit card per year, your business must be PCI compliant. If you process through a third party, that does not absolve your business from PCI compliance. Many businesses do not take this seriously….until a breach occurs. As many of you know already, the credit card companies and banks have made a concerted effort to shift liability for the massive amount of credit card fraud taking place from their business to yours. If your business is not using chip readers, you are at risk. If your business is not PCI compliant, you are at risk.

PCI Compliance is not solved through a single vendor or product. There are many requirements and some of them are business process related and some are technology related. Below is a list of the top ten myths surrounding PCI requirements from the PCI Security Standards Council.

Top Ten Myths of PCI Compliance

1. One product will make us compliant.
2. Outsourcing card processing makes us compliant.
3. PCI DDS compliance is an IT project.
4. PCI DSS will make us secure.
5. PCI DDS is unreasonable, requiring too much effort and expense.
6. PCI DDS require us to hire a Qualified Security Assessor.
7. We don’t take enough credit cards to necessitate compliance.
8. We completed a SAQ so we’re compliant.
9. PCI DDS makes us store card holder data.
10. PCI DDS is too hard.

Is your business PCI compliant? Are you aware of the penalties for being out of compliance? Given the current data security climate, have you given this enough attention? If you answered “no” to any of the above questions, give Colden Company a call at (888) 600-4560 or email us, or visit us on Facebook or Twitter.

Why and How to Secure Mobile Devices

Posted on: August 29th, 2017 by jiml | No Comments

As more business processes are either pushed to or accessed on mobile devices (phones, tablets, laptops, etc.), organizations need to be able to secure both the device itself and the data which the device accesses. Colden Company’s Mobile Device Management (MDM) service provides affordable protection for the most common security scenarios.

Physical Security

Since these devices leave the office and may be left intentionally in vehicles, homes and hotel rooms, unintentionally in locations like restaurants or stores, or completely misplaced or stolen, the first concern is to be able to locate the device. With the MDM agent installed on the device, it will periodically check in with its physical location which can be tracked on a map allowing for retrieval.

Protection From Unauthorized Access

The agent can configure the device with a screen lock passcode (and change it) and remotely lock the device. The data on the device can be encrypted and, if there is a concern that the device’s security has been compromised, the entire device can be remotely wiped.

Protection From Malware

While the overall risk of malware is reduced on iOS (Apple) and Android phones and tablets compared to desktop and laptop computers, it is still a very real concern that needs to be addressed. Even though users have permissions to do things like configure the device settings, connect to wireless networks, and add or remove apps, while they are actually using an app on the device, they are not doing so using those permissions. After apps are installed, what they can do is limited to the permissions they were given at installation. For example, it is not possible to run an executable program from a web browser or email app in the same way that a user can on a PC. While running those apps, the user is not acting as an administrator of the device.

So the most critical level of protection against malware is to ensure that the apps are installed from a trusted source that verifies they do not contain malware. For iOS, the Apple App Store screens all apps offered through the store. For Android devices, the Google Play store has less oversight on what apps are offered, but the Play Protect Service on each device does a background check of each installed app to detect harmful apps. This check is especially important since, unlike Apple devices, it is possible to install apps to Android devices from locations other than Google Play. It’s worth noting that all reports of Android malware to date have come from installing compromised or malicious apps from the Google Play store or from a third party source.
MDM addresses this issue through policies that allow only specific apps to be installed, identify specific apps that cannot be installed, require that specific apps be installed and, for Android devices, disable the ability to install apps from any location other than Google Play. Actively managing what apps can and cannot be installed is the most effective protection from malware.

Monitoring Compliance

Mobile users generally have administrative privileges on their devices. In order to ensure protection is active, the MDM agent is enabled with policies and rules that define how the device is to be configured and what actions to take if that configuration is changed (non-compliance). It monitors the device continuously for any configuration changes, compares them to the policies for the device and takes action when the device falls out of compliance. As a minimum, non-compliance will generate an alert and an administrative email which can also be sent to the user. For example, if a lock screen passcode is a required policy item and the user disables the passcode, an alert gets triggered with an associated email message. The administrator then has the option of re-enabling the passcode, changing it or locking the device. For a more security conscious approach, non-compliant devices can be denied access to company resources until the device is back in compliance.

Every survey indicates that employees will continue to use mobile devices more frequently than they do today. The trend is not about to reverse. As a business, you need to be thinking about how you can best manage and secure those devices and the data they access. Give us a call at (888) 600-4560 or email us, or visit us on Facebook or Twitter.

Time to Change Your Password …or Is It?

Posted on: July 28th, 2017 by jiml | No Comments

The National Institute for Standards in Technology (NIST) released new guidelines for strong passwords. Past recommendations included having long passwords that mix in upper and lower-case characters, special characters and changing that password on a regular basis. This was a difficult proposition for many users who did not user any type of password manager. A person in today’s digital world needs to have so many passwords that it is nearly impossible to keep up strong passwords. The emergence of password management software like LastPass and KeePass helped alleviate some of those problems.

Not all passwords need to be created equally. For example, which account would be preferred a strong password on – your bank account or your Shutterfly account? Your email account or your magazine subscription account? For certain accounts, a strong password is imperative. There is just too much at risk if your account is compromised. Strong passwords are those that can help protect your account from the myriad of programs that hackers use to try and break into your account. Consider using a password checker to verify the password strength. Click here for one from LastPass.

Another example where passwords do not need to be created equally are accounts that you need to log into regularly vs. accounts you do not. As an example, Colden Company creates passwords for encryption keys for our customers for backup accounts. We use a program to randomly generate a 48-character password. An example might be “#$DfhlutyST^54*^&##Jllos)1^CHJuek*7SL,ko&^d5SKkw”. How would you like to have to type that in every day? It would not be feasible. But it is feasible for an account that is setup, used for backup but rarely needed to type in. It is very strong and long for protecting vital data.

Strong passwords are important to prevent hacking of your account, but equally important is to have a system of creating unique, strong password for your various accounts. The strongest password in the world is no help when Yahoo is hacked and your password is stolen. What many people fail to consider is that they may be using that same password for different services. As an example, you may not be that concerned if your Yahoo account is hacked but what if you are using those same credentials at your bank? Now is that a concern? The difficulty in maintaining and changing strong passwords so frequently presents a problem leading many people to reuse the same username/password combination at various sites. When one of those is compromised, they are all at risk.

This leads us back to the NIST password recommendations. In this year’s publication, NIST is loosening the complexity and duration standards. In other words, they don’t feel it is necessary to change your password every 90 days any more. It is more important to have a strong password with adequate length. The password length is an area where they have strengthened the recommendations. An example of long password is “Owl Eagle Horse Cow”. Here we have a twenty-character password (including spaces) that is easy to remember, lacks the complexity of special characters and has adequate length to protect against randomly generated password checkers. Now, in our opinion, it won’t be long before hackers adjust their practices as they always do, so we, at Colden, still recommend mixing in a special character or two for added protection.

Finally, there is the option for multi-factor authentication. Colden uses two-factor authentication (2FA) for any customer information. This means that a simple username and password combination does not get access to the information. A secondary and different authentication must be used, in our case a random number generator that is generated from Google Authenticator that changes every 30 seconds. These are tied to our accounts so we are notified of access attempts and means that even if our login and password credentials are stolen, hackers will not be able to access any customer information. Businesses should consider deploying this type of security for critical applications.

Is your business keeping up with changing guidelines? Give us a call at (888) 600-4560 or email us, or visit us on Facebook or Twitter.

Company Policy Updates

Posted on: June 27th, 2017 by jiml | No Comments

It is important for any business, regardless of size, to have properly documented policies. These policies provide protection for the employees as well as the business itself. Just like with technology, it is important to keep up with the changing times. All too often business develop a handbook and it sits around collecting dust over the years. These handbooks should be regularly reviewed and updated.

In terms of IT policies, technology is continually changing as are the threats that businesses face. Having strong Internet Acceptable Use policies and ensuring new employees sign off as having read and understood the policies is a great first step to protecting your critical business data. How your employees access and protect your data on mobile devices also should be addressed. This is a good example of a policy that did not make it into many handbooks five years ago but is important today. These policies should clearly define consequences for failure to comply with company policies.

In the disaster recovery arena, one of the areas that has been getting a lot of attention is having an Active Shooter policy. According to a 2016 study by Everbridge, active shooter situations were the number one threat that concerned businesses thought they should be preparing for. Employees should know how to react and what to do in these situations. Of course, the safety of the employee is always the first priority. Notifying police should occur once safe and finally notifying other employees. This last statement comes with some questions. How do you best do that? There are Emergency Notification Systems (ENS) which can provide text alerts to all employees in such an event that may be lifesaving. These systems are worth consideration when developing your policy.

Is your business keeping its IT policies and company handbook up to date? If not, give us a call at (888) 600-4560 or email us, or visit us on Facebook or Twitter.

Ransomware in the News Again

Posted on: May 29th, 2017 by jiml | No Comments

Ransomware is making the news again this month, with the WannaCry virus that affected hundreds of thousands of computers in many countries around the world (150 countries according to Wikipedia), including the United States. This virus would encrypt all of your files and demand ransom in turn for the decryption key. If your data was not properly backed up, your data would be at risk.

This particular strand of ransomware attacked a known vulnerability in Windows operating systems, called the EnternalBlue exploit. Microsoft had released a patch for it so if your computers were properly patched you were not at risk. If you are in the habit of delaying Windows updates, your system was at risk. While systems running Windows XP were most at risk due to the fact that there was no patch out for the vulnerability (Microsoft has since released a patch that XP users have to manually download), but the vast majority of infected computers were Windows 7 computers. This is due in part to the vast proliferation of Windows 7 as compared to Windows XP which has been phased out in many places as well as the change in policy with Windows 10 that makes it more difficult to delay and manage updates. Since Microsoft installs updates for you in most versions of Windows 10, most systems were patched.

While keeping your systems properly patched was the best defense in this case, most strands of ransomware attack through email or enticing users to click on ads or other click bait to infect computers. The vast majority of ransomware strands work in this manner. This is why it is critical to have defenses for these types of attacks. Quality spam filtering is important to filter out much of the email attacks. User education is key to recognizing those attacks that make it past the spam filter. Web filtering is key to preventing users from going to known bad sites and accidentally infecting their machines. Finally, as a last resort, having a reliable backup system in place is your last defense. Paying ransom should never be an option, as it only perpetuates the cycle. Security is best applied in layers.

As we have said in many previous blog posts, if you are running your business the same way you were three or four years ago, you are falling behind. This is especially true with security. The security threats have dramatically increased in that time and your security defenses need to keep pace.

Contact us today to review your data security at (888) 600-4560, email us, or visit us on Facebook or Twitter.

What is the Windows 10 Creators Update?

Posted on: April 28th, 2017 by jiml | No Comments

You may have heard about a new Microsoft update to Windows 10 being released called “Creators Update”. This release is now in production and Microsoft will be automatically installing it on all Windows 10 computers in a staggered release. If you are running Windows 10, you will eventually get the Creators Update.

So, what is in this update and why is it called “Creators Update”? Microsoft is appealing to a target audience here with enhancements for those who use their computer for drawing, gaming, or other creative endeavors. Windows 10 Creators Update will have a new app called Paint 3D and be better able to render and work with 3D imaging. Paint 3D will allow users to take a two-dimensional object and render it as a 3D object. There are myriad of gaming updates which we will not discuss here in a business-focused blog.

Microsoft has also made improvements to its Edge browser. If you were an early adopter of Windows 10, you may not have had a great experience with the Edge browser. Microsoft released it, perhaps prematurely, before functionality like browser extensions were available. If you fall into this camp, I would encourage you to take another look at Edge. The Creators Update will offer many new extensions like RoboForm and others. Jump lists are supported now making it easier to open the window you want right from the task bar.

One new feature I am looking forward to is the “Night Light” feature which is another screen brightness setting that reduced the amount of blue light emitted from your computer for night-time reading.

For a more detailed article from Microsoft click here.

Not running Windows 10 yet? Want the Creators Update more quickly? Contact us today at (888) 600-4560, email us, or visit us on Facebook or Twitter.

The Security Weak Link – Users!

Posted on: March 30th, 2017 by jiml | No Comments

It’s said that amateurs hack computers and professionals hack humans.

With all the recent discussion about ransomware, malware delivered by malicious websites, and other technology-enabled attacks on businesses, it’s easy to be lulled into a false sense of security by thinking that technology created security problems and technology (e.g. antivirus software, firewalls, etc.) can, should, and will solve these security problems for your business.

Social engineering attacks outnumbered attacks on software vulnerabilities and exploits for the first time in 2015. Since January 2015, the FBI has seen a 270 percent increase in identified victims and exposed loss amounting to more than $2.3 billion. Hackers are attacking the weakest link in any business’ security perimeter – the employees – to steal from your business!

Social engineering is using manipulation, influence and deception to get your employee to comply with a request, and the request is usually to release information or to perform some sort of action item that benefits that attacker. It could be something as simple as talking over the telephone to something as complex as getting your employee to visit a website, which exploits a technical flaw and allows the hacker to take over the computer. Your employees could be tricked into anything from allowing someone access to your office to giving up their passwords or user IDs over the phone. Social engineers go to great lengths to gain access to data they can exploit, such as personal information (passwords, account numbers, etc.), company information (phone lists, identity badges, etc.), and network information (servers, networks, etc.).

Some examples of social engineering attacks are the following.

Spear Phishing – Instead of casting out thousands of emails randomly hoping a few victims will bite, spear phishers target select groups of people with something in common—they work at the same company, bank at the same financial institution, attend the same college, order merchandise from the same website, etc. The emails are ostensibly sent from organizations or individuals the potential victims would normally get emails from (CEO, CFO, company website, vendors and supplies, etc.), making them even more deceptive. These emails often convey a high sense of urgency, making employees act quickly without thinking the situation through.

Dumpster Diving – This is exactly what it sounds like: digging through trash looking for valuable information such as junk mail (especially credit card offers), company phone lists, company org charts (names, titles, etc.), corporate letterhead to create official-looking correspondence, and even computers and other electronic equipment that might contain valuable data.

Six Degrees of Separation – Here the hacker identifies a “whale,” or a high-level employee. Using social media and watching their in-person patterns, the hacker reaches out to the target’s friends, family, or employees with the full intention of earning the trust of the target eventually. The criminal may begin by gathering personal nuggets about team members, as well as other “social cues” to build trust or even successfully masquerade as an employee.

Social engineering is an undeniable reality with the potential to have a very real-world impact on your business. What are some ways that your business can protect your employees and keep valuable data out of the hands of criminals who could damage your business?

1.Password Management – Outline strict standards for secure passwords (length and complexity) and insist on regular password expiration and change.

2.Two-Factor Authentication – Two-factor authentication, also known as 2FA, requires not only a password and username but also something that only your employee has access to such as a physical token or token-generating app. Use 2FA to secure high-risk network services like VPNs or third-party web services.

3.Anti-Virus Defenses – Always enable and keep updated anti-virus defenses at vulnerable locations such as firewalls, email gateways, and employee workstations.

4.Change Management – When your employees are comfortable and familiar with a well-documented change-management process (rather than reacting off the cuff), they’re less vulnerable to an attack that relies on a false sense of urgency.

5.Information Classification – Ensure that confidential information is clearly identified, uniquely secured, and handled as such.

6.Document Destruction – Confidential information should be shredded rather than thrown into the trash or recycling.

7.Data Destruction – Electronic equipment and storage devices should always be responsibly disposed of using an R2 certified recycler that provides specific data destruction services and documentation.

Most important of all is building a security-aware culture in your business. Educate your employees on the real-world damage done by such theft to other companies. Empower your employees to recognize threats and make smart security decisions on their own. Embed security awareness deeply in the minds of your employees and ensure that employees at every organizational level feel comfortable with reporting anything suspicious.

Colden Company can provide your business with several security services to keep your business safe. We offer managed antivirus, regular security assessments, vulnerability scanning (internal and external), hacking detection, systems patching and updating, perimeter security services, and other technology-enabled solutions to protect your business. In keeping with the topic of social engineering, we can provide security awareness training to your employees as a first step in embedding a security awareness in your business. Building awareness is the single most important step you can take to keep ahead of the criminals.

Don’t be a victim or another FBI statistic! Contact us today at (888) 600-4560, email us, or visit us on Facebook or Twitter.

Have Private Information on Your Network? Learn How to Avoid Fines!

Posted on: February 23rd, 2017 by jiml | No Comments

Businesses have a responsibility to protect “private” information that belong to employees and customers. Social security numbers, credit card numbers, and health information are among the information that falls under these legal protections. If you are storing this type of information and your network is breached, your business has a legal responsibility to report that to the appropriate authority.

The nightly news is filled with example of corporations receiving large fines for breaches, such as AT&T’s $25 million fine and Morgan Stanley’s $1 million fine. What is lesser known is that small business is far more often the victim of breaches and those small businesses are subject to fines, and the cost of credit monitoring for each person whose information was breached. With the massive increase in malware, the threat of a data breach is higher than ever. How do you avoid being the victim and avoid those costly fines?

Cybersecurity is a topic we could blog on all year and still not cover every angle. For the purposes of this discussion, we will focus on a proactive measure that your business can take which is to identify your areas of risk. That identification process is accomplished by scanning computers for the type of information that your business has a legal obligation to protect. Our scans find and report on the location of that data so remediation can take place. With this information, a decision can be made to either discard the private data if not needed or protect that data if needed.

The scan results have often been startling to the business owner. We have found information that would have led to as much as six figure fines. Don’t get taken by surprise, let Colden Company help you avoid the fines! Contact us today at (888) 600-4560, email us, or visit us on Facebook or Twitter.

Options for Purchasing Microsoft Office Licensing

Posted on: January 30th, 2017 by jiml | No Comments

If you are a regular reader of our blog, you are already familiar with Microsoft Office 365. At its core, it is a cloud email solution. Microsoft Office licensing can be bundled with it, or even purchased as a standalone product without email should you already have an email solution you are pleased with. For now, Microsoft still allows customers to purchase Office licenses as you have in the past, with retail, volume, or OEM (Original Equipment Manufacturer) versions where you pay a one-time fee and are delivered that specific version of Microsoft Office. Let’s give you a quick description of these.

Retail: Retail or FPP (Full Packaged Product) licenses are licenses that might come in single-user or multi-user licenses and will have a license key specifically for those exact amount of licenses. A three-user license may be installed on three different computers, as an example.

Volume: Volume licensing is slightly more expensive, but allows a single key to be used across installations and allows licenses to be easily moved from machine to machine. Licenses can be added as needed to a volume license agreement.

OEM: OEM licenses are preloaded versions of Office that are installed on computers for sale by the manufacturer. Companies like Dell and HP pre-install OEM versions of Office that are tied to the computer. These licenses are the cheapest of the bunch but also the most limiting as the license will die with the computer it is tied to it.

Any of these methods may be the right method for your business depending on your individual needs. Today, Microsoft Office licensing can also by purchased using Microsoft Office 365 plans. At its core it is a software-as-a-service model or subscription-based pricing. Your business is charged a monthly or annual fee for the license. While this may not be appealing to some of you reading this, let me explain the advantages. The licenses are user-based licenses and can be installed on up to five devices. For example, I have a work laptop, a backup PC, and a tablet. I am utilizing the same Office license on all three devices. This results in savings for my situation over the traditional licenses.

Another major benefit is the ability to upgrade to newer versions without requiring any repurchasing of licenses. When Microsoft released Office 2016 in the fall of 2015, I simply upgraded my Office 2013 software on each device to the new version as I was ready. Patches and fixes are also made available continually and without any additional costs, so your software stays up-to-date, secure, and productive for you. After all, they don’t call Microsoft Office a productivity suite for nothing.

There are many ways and places to buy Office 365 licenses. No matter where you go, the pricing is dictated by Microsoft and should be the same. We encourage you to purchase through a registered Microsoft Partner, like Colden Company, who understands the different licensing options as well as what options are available for your business needs. There are many different Office 365 packages that include Office licenses, hosted and secure email, and even more tools to help your business.

Did you know that under certain circumstances you can short-change your license period by renewing before your old license expires? We have helped several customers who thought they were saving money by trying to navigate the Office 365 environment themselves only to discover the landscape is complex. Save your time and your money by partnering with an expert like Colden Company who can guide you through the process.Contact us today at (888) 600-4560, email us, or visit us on Facebook or Twitter.