Why and How to Secure Mobile Devices

Posted on: August 29th, 2017 by jiml | No Comments

As more business processes are either pushed to or accessed on mobile devices (phones, tablets, laptops, etc.), organizations need to be able to secure both the device itself and the data which the device accesses. Colden Company’s Mobile Device Management (MDM) service provides affordable protection for the most common security scenarios.

Physical Security

Since these devices leave the office and may be left intentionally in vehicles, homes and hotel rooms, unintentionally in locations like restaurants or stores, or completely misplaced or stolen, the first concern is to be able to locate the device. With the MDM agent installed on the device, it will periodically check in with its physical location which can be tracked on a map allowing for retrieval.

Protection From Unauthorized Access

The agent can configure the device with a screen lock passcode (and change it) and remotely lock the device. The data on the device can be encrypted and, if there is a concern that the device’s security has been compromised, the entire device can be remotely wiped.

Protection From Malware

While the overall risk of malware is reduced on iOS (Apple) and Android phones and tablets compared to desktop and laptop computers, it is still a very real concern that needs to be addressed. Even though users have permissions to do things like configure the device settings, connect to wireless networks, and add or remove apps, while they are actually using an app on the device, they are not doing so using those permissions. After apps are installed, what they can do is limited to the permissions they were given at installation. For example, it is not possible to run an executable program from a web browser or email app in the same way that a user can on a PC. While running those apps, the user is not acting as an administrator of the device.

So the most critical level of protection against malware is to ensure that the apps are installed from a trusted source that verifies they do not contain malware. For iOS, the Apple App Store screens all apps offered through the store. For Android devices, the Google Play store has less oversight on what apps are offered, but the Play Protect Service on each device does a background check of each installed app to detect harmful apps. This check is especially important since, unlike Apple devices, it is possible to install apps to Android devices from locations other than Google Play. It’s worth noting that all reports of Android malware to date have come from installing compromised or malicious apps from the Google Play store or from a third party source.
MDM addresses this issue through policies that allow only specific apps to be installed, identify specific apps that cannot be installed, require that specific apps be installed and, for Android devices, disable the ability to install apps from any location other than Google Play. Actively managing what apps can and cannot be installed is the most effective protection from malware.

Monitoring Compliance

Mobile users generally have administrative privileges on their devices. In order to ensure protection is active, the MDM agent is enabled with policies and rules that define how the device is to be configured and what actions to take if that configuration is changed (non-compliance). It monitors the device continuously for any configuration changes, compares them to the policies for the device and takes action when the device falls out of compliance. As a minimum, non-compliance will generate an alert and an administrative email which can also be sent to the user. For example, if a lock screen passcode is a required policy item and the user disables the passcode, an alert gets triggered with an associated email message. The administrator then has the option of re-enabling the passcode, changing it or locking the device. For a more security conscious approach, non-compliant devices can be denied access to company resources until the device is back in compliance.

Every survey indicates that employees will continue to use mobile devices more frequently than they do today. The trend is not about to reverse. As a business, you need to be thinking about how you can best manage and secure those devices and the data they access. Give us a call at (888) 600-4560 or email us, or visit us on Facebook or Twitter.

Time to Change Your Password …or Is It?

Posted on: July 28th, 2017 by jiml | No Comments

The National Institute for Standards in Technology (NIST) released new guidelines for strong passwords. Past recommendations included having long passwords that mix in upper and lower-case characters, special characters and changing that password on a regular basis. This was a difficult proposition for many users who did not user any type of password manager. A person in today’s digital world needs to have so many passwords that it is nearly impossible to keep up strong passwords. The emergence of password management software like LastPass and KeePass helped alleviate some of those problems.

Not all passwords need to be created equally. For example, which account would be preferred a strong password on – your bank account or your Shutterfly account? Your email account or your magazine subscription account? For certain accounts, a strong password is imperative. There is just too much at risk if your account is compromised. Strong passwords are those that can help protect your account from the myriad of programs that hackers use to try and break into your account. Consider using a password checker to verify the password strength. Click here for one from LastPass.

Another example where passwords do not need to be created equally are accounts that you need to log into regularly vs. accounts you do not. As an example, Colden Company creates passwords for encryption keys for our customers for backup accounts. We use a program to randomly generate a 48-character password. An example might be “#$DfhlutyST^54*^&##Jllos)1^CHJuek*7SL,ko&^d5SKkw”. How would you like to have to type that in every day? It would not be feasible. But it is feasible for an account that is setup, used for backup but rarely needed to type in. It is very strong and long for protecting vital data.

Strong passwords are important to prevent hacking of your account, but equally important is to have a system of creating unique, strong password for your various accounts. The strongest password in the world is no help when Yahoo is hacked and your password is stolen. What many people fail to consider is that they may be using that same password for different services. As an example, you may not be that concerned if your Yahoo account is hacked but what if you are using those same credentials at your bank? Now is that a concern? The difficulty in maintaining and changing strong passwords so frequently presents a problem leading many people to reuse the same username/password combination at various sites. When one of those is compromised, they are all at risk.

This leads us back to the NIST password recommendations. In this year’s publication, NIST is loosening the complexity and duration standards. In other words, they don’t feel it is necessary to change your password every 90 days any more. It is more important to have a strong password with adequate length. The password length is an area where they have strengthened the recommendations. An example of long password is “Owl Eagle Horse Cow”. Here we have a twenty-character password (including spaces) that is easy to remember, lacks the complexity of special characters and has adequate length to protect against randomly generated password checkers. Now, in our opinion, it won’t be long before hackers adjust their practices as they always do, so we, at Colden, still recommend mixing in a special character or two for added protection.

Finally, there is the option for multi-factor authentication. Colden uses two-factor authentication (2FA) for any customer information. This means that a simple username and password combination does not get access to the information. A secondary and different authentication must be used, in our case a random number generator that is generated from Google Authenticator that changes every 30 seconds. These are tied to our accounts so we are notified of access attempts and means that even if our login and password credentials are stolen, hackers will not be able to access any customer information. Businesses should consider deploying this type of security for critical applications.

Is your business keeping up with changing guidelines? Give us a call at (888) 600-4560 or email us, or visit us on Facebook or Twitter.

Company Policy Updates

Posted on: June 27th, 2017 by jiml | No Comments

It is important for any business, regardless of size, to have properly documented policies. These policies provide protection for the employees as well as the business itself. Just like with technology, it is important to keep up with the changing times. All too often business develop a handbook and it sits around collecting dust over the years. These handbooks should be regularly reviewed and updated.

In terms of IT policies, technology is continually changing as are the threats that businesses face. Having strong Internet Acceptable Use policies and ensuring new employees sign off as having read and understood the policies is a great first step to protecting your critical business data. How your employees access and protect your data on mobile devices also should be addressed. This is a good example of a policy that did not make it into many handbooks five years ago but is important today. These policies should clearly define consequences for failure to comply with company policies.

In the disaster recovery arena, one of the areas that has been getting a lot of attention is having an Active Shooter policy. According to a 2016 study by Everbridge, active shooter situations were the number one threat that concerned businesses thought they should be preparing for. Employees should know how to react and what to do in these situations. Of course, the safety of the employee is always the first priority. Notifying police should occur once safe and finally notifying other employees. This last statement comes with some questions. How do you best do that? There are Emergency Notification Systems (ENS) which can provide text alerts to all employees in such an event that may be lifesaving. These systems are worth consideration when developing your policy.

Is your business keeping its IT policies and company handbook up to date? If not, give us a call at (888) 600-4560 or email us, or visit us on Facebook or Twitter.

Ransomware in the News Again

Posted on: May 29th, 2017 by jiml | No Comments

Ransomware is making the news again this month, with the WannaCry virus that affected hundreds of thousands of computers in many countries around the world (150 countries according to Wikipedia), including the United States. This virus would encrypt all of your files and demand ransom in turn for the decryption key. If your data was not properly backed up, your data would be at risk.

This particular strand of ransomware attacked a known vulnerability in Windows operating systems, called the EnternalBlue exploit. Microsoft had released a patch for it so if your computers were properly patched you were not at risk. If you are in the habit of delaying Windows updates, your system was at risk. While systems running Windows XP were most at risk due to the fact that there was no patch out for the vulnerability (Microsoft has since released a patch that XP users have to manually download), but the vast majority of infected computers were Windows 7 computers. This is due in part to the vast proliferation of Windows 7 as compared to Windows XP which has been phased out in many places as well as the change in policy with Windows 10 that makes it more difficult to delay and manage updates. Since Microsoft installs updates for you in most versions of Windows 10, most systems were patched.

While keeping your systems properly patched was the best defense in this case, most strands of ransomware attack through email or enticing users to click on ads or other click bait to infect computers. The vast majority of ransomware strands work in this manner. This is why it is critical to have defenses for these types of attacks. Quality spam filtering is important to filter out much of the email attacks. User education is key to recognizing those attacks that make it past the spam filter. Web filtering is key to preventing users from going to known bad sites and accidentally infecting their machines. Finally, as a last resort, having a reliable backup system in place is your last defense. Paying ransom should never be an option, as it only perpetuates the cycle. Security is best applied in layers.

As we have said in many previous blog posts, if you are running your business the same way you were three or four years ago, you are falling behind. This is especially true with security. The security threats have dramatically increased in that time and your security defenses need to keep pace.

Contact us today to review your data security at (888) 600-4560, email us, or visit us on Facebook or Twitter.

What is the Windows 10 Creators Update?

Posted on: April 28th, 2017 by jiml | No Comments

You may have heard about a new Microsoft update to Windows 10 being released called “Creators Update”. This release is now in production and Microsoft will be automatically installing it on all Windows 10 computers in a staggered release. If you are running Windows 10, you will eventually get the Creators Update.

So, what is in this update and why is it called “Creators Update”? Microsoft is appealing to a target audience here with enhancements for those who use their computer for drawing, gaming, or other creative endeavors. Windows 10 Creators Update will have a new app called Paint 3D and be better able to render and work with 3D imaging. Paint 3D will allow users to take a two-dimensional object and render it as a 3D object. There are myriad of gaming updates which we will not discuss here in a business-focused blog.

Microsoft has also made improvements to its Edge browser. If you were an early adopter of Windows 10, you may not have had a great experience with the Edge browser. Microsoft released it, perhaps prematurely, before functionality like browser extensions were available. If you fall into this camp, I would encourage you to take another look at Edge. The Creators Update will offer many new extensions like RoboForm and others. Jump lists are supported now making it easier to open the window you want right from the task bar.

One new feature I am looking forward to is the “Night Light” feature which is another screen brightness setting that reduced the amount of blue light emitted from your computer for night-time reading.

For a more detailed article from Microsoft click here.

Not running Windows 10 yet? Want the Creators Update more quickly? Contact us today at (888) 600-4560, email us, or visit us on Facebook or Twitter.

The Security Weak Link – Users!

Posted on: March 30th, 2017 by jiml | No Comments

It’s said that amateurs hack computers and professionals hack humans.

With all the recent discussion about ransomware, malware delivered by malicious websites, and other technology-enabled attacks on businesses, it’s easy to be lulled into a false sense of security by thinking that technology created security problems and technology (e.g. antivirus software, firewalls, etc.) can, should, and will solve these security problems for your business.

Social engineering attacks outnumbered attacks on software vulnerabilities and exploits for the first time in 2015. Since January 2015, the FBI has seen a 270 percent increase in identified victims and exposed loss amounting to more than $2.3 billion. Hackers are attacking the weakest link in any business’ security perimeter – the employees – to steal from your business!

Social engineering is using manipulation, influence and deception to get your employee to comply with a request, and the request is usually to release information or to perform some sort of action item that benefits that attacker. It could be something as simple as talking over the telephone to something as complex as getting your employee to visit a website, which exploits a technical flaw and allows the hacker to take over the computer. Your employees could be tricked into anything from allowing someone access to your office to giving up their passwords or user IDs over the phone. Social engineers go to great lengths to gain access to data they can exploit, such as personal information (passwords, account numbers, etc.), company information (phone lists, identity badges, etc.), and network information (servers, networks, etc.).

Some examples of social engineering attacks are the following.

Spear Phishing – Instead of casting out thousands of emails randomly hoping a few victims will bite, spear phishers target select groups of people with something in common—they work at the same company, bank at the same financial institution, attend the same college, order merchandise from the same website, etc. The emails are ostensibly sent from organizations or individuals the potential victims would normally get emails from (CEO, CFO, company website, vendors and supplies, etc.), making them even more deceptive. These emails often convey a high sense of urgency, making employees act quickly without thinking the situation through.

Dumpster Diving – This is exactly what it sounds like: digging through trash looking for valuable information such as junk mail (especially credit card offers), company phone lists, company org charts (names, titles, etc.), corporate letterhead to create official-looking correspondence, and even computers and other electronic equipment that might contain valuable data.

Six Degrees of Separation – Here the hacker identifies a “whale,” or a high-level employee. Using social media and watching their in-person patterns, the hacker reaches out to the target’s friends, family, or employees with the full intention of earning the trust of the target eventually. The criminal may begin by gathering personal nuggets about team members, as well as other “social cues” to build trust or even successfully masquerade as an employee.

Social engineering is an undeniable reality with the potential to have a very real-world impact on your business. What are some ways that your business can protect your employees and keep valuable data out of the hands of criminals who could damage your business?

1.Password Management – Outline strict standards for secure passwords (length and complexity) and insist on regular password expiration and change.

2.Two-Factor Authentication – Two-factor authentication, also known as 2FA, requires not only a password and username but also something that only your employee has access to such as a physical token or token-generating app. Use 2FA to secure high-risk network services like VPNs or third-party web services.

3.Anti-Virus Defenses – Always enable and keep updated anti-virus defenses at vulnerable locations such as firewalls, email gateways, and employee workstations.

4.Change Management – When your employees are comfortable and familiar with a well-documented change-management process (rather than reacting off the cuff), they’re less vulnerable to an attack that relies on a false sense of urgency.

5.Information Classification – Ensure that confidential information is clearly identified, uniquely secured, and handled as such.

6.Document Destruction – Confidential information should be shredded rather than thrown into the trash or recycling.

7.Data Destruction – Electronic equipment and storage devices should always be responsibly disposed of using an R2 certified recycler that provides specific data destruction services and documentation.

Most important of all is building a security-aware culture in your business. Educate your employees on the real-world damage done by such theft to other companies. Empower your employees to recognize threats and make smart security decisions on their own. Embed security awareness deeply in the minds of your employees and ensure that employees at every organizational level feel comfortable with reporting anything suspicious.

Colden Company can provide your business with several security services to keep your business safe. We offer managed antivirus, regular security assessments, vulnerability scanning (internal and external), hacking detection, systems patching and updating, perimeter security services, and other technology-enabled solutions to protect your business. In keeping with the topic of social engineering, we can provide security awareness training to your employees as a first step in embedding a security awareness in your business. Building awareness is the single most important step you can take to keep ahead of the criminals.

Don’t be a victim or another FBI statistic! Contact us today at (888) 600-4560, email us, or visit us on Facebook or Twitter.

Have Private Information on Your Network? Learn How to Avoid Fines!

Posted on: February 23rd, 2017 by jiml | No Comments

Businesses have a responsibility to protect “private” information that belong to employees and customers. Social security numbers, credit card numbers, and health information are among the information that falls under these legal protections. If you are storing this type of information and your network is breached, your business has a legal responsibility to report that to the appropriate authority.

The nightly news is filled with example of corporations receiving large fines for breaches, such as AT&T’s $25 million fine and Morgan Stanley’s $1 million fine. What is lesser known is that small business is far more often the victim of breaches and those small businesses are subject to fines, and the cost of credit monitoring for each person whose information was breached. With the massive increase in malware, the threat of a data breach is higher than ever. How do you avoid being the victim and avoid those costly fines?

Cybersecurity is a topic we could blog on all year and still not cover every angle. For the purposes of this discussion, we will focus on a proactive measure that your business can take which is to identify your areas of risk. That identification process is accomplished by scanning computers for the type of information that your business has a legal obligation to protect. Our scans find and report on the location of that data so remediation can take place. With this information, a decision can be made to either discard the private data if not needed or protect that data if needed.

The scan results have often been startling to the business owner. We have found information that would have led to as much as six figure fines. Don’t get taken by surprise, let Colden Company help you avoid the fines! Contact us today at (888) 600-4560, email us, or visit us on Facebook or Twitter.

Options for Purchasing Microsoft Office Licensing

Posted on: January 30th, 2017 by jiml | No Comments

If you are a regular reader of our blog, you are already familiar with Microsoft Office 365. At its core, it is a cloud email solution. Microsoft Office licensing can be bundled with it, or even purchased as a standalone product without email should you already have an email solution you are pleased with. For now, Microsoft still allows customers to purchase Office licenses as you have in the past, with retail, volume, or OEM (Original Equipment Manufacturer) versions where you pay a one-time fee and are delivered that specific version of Microsoft Office. Let’s give you a quick description of these.

Retail: Retail or FPP (Full Packaged Product) licenses are licenses that might come in single-user or multi-user licenses and will have a license key specifically for those exact amount of licenses. A three-user license may be installed on three different computers, as an example.

Volume: Volume licensing is slightly more expensive, but allows a single key to be used across installations and allows licenses to be easily moved from machine to machine. Licenses can be added as needed to a volume license agreement.

OEM: OEM licenses are preloaded versions of Office that are installed on computers for sale by the manufacturer. Companies like Dell and HP pre-install OEM versions of Office that are tied to the computer. These licenses are the cheapest of the bunch but also the most limiting as the license will die with the computer it is tied to it.

Any of these methods may be the right method for your business depending on your individual needs. Today, Microsoft Office licensing can also by purchased using Microsoft Office 365 plans. At its core it is a software-as-a-service model or subscription-based pricing. Your business is charged a monthly or annual fee for the license. While this may not be appealing to some of you reading this, let me explain the advantages. The licenses are user-based licenses and can be installed on up to five devices. For example, I have a work laptop, a backup PC, and a tablet. I am utilizing the same Office license on all three devices. This results in savings for my situation over the traditional licenses.

Another major benefit is the ability to upgrade to newer versions without requiring any repurchasing of licenses. When Microsoft released Office 2016 in the fall of 2015, I simply upgraded my Office 2013 software on each device to the new version as I was ready. Patches and fixes are also made available continually and without any additional costs, so your software stays up-to-date, secure, and productive for you. After all, they don’t call Microsoft Office a productivity suite for nothing.

There are many ways and places to buy Office 365 licenses. No matter where you go, the pricing is dictated by Microsoft and should be the same. We encourage you to purchase through a registered Microsoft Partner, like Colden Company, who understands the different licensing options as well as what options are available for your business needs. There are many different Office 365 packages that include Office licenses, hosted and secure email, and even more tools to help your business.

Did you know that under certain circumstances you can short-change your license period by renewing before your old license expires? We have helped several customers who thought they were saving money by trying to navigate the Office 365 environment themselves only to discover the landscape is complex. Save your time and your money by partnering with an expert like Colden Company who can guide you through the process.Contact us today at (888) 600-4560, email us, or visit us on Facebook or Twitter.

The Risk with Data Breaches

Posted on: December 27th, 2016 by jiml | No Comments

Does your company store private information such as credit card numbers, social security numbers, or health information? Are you sure? Data breaches where this type of information is exposed can cost your business money. A quick scan of the newspaper headlines on any given day will often report on a breach and subsequent fine, whether it be Morgan Stanley’s $1 million dollar fine, or AT&T’s $25 million dollar fine. There are plenty of high profile examples. Beyond the headlines, many smaller businesses are finding themselves subject to data breaches and fines. These fines may not accumulate to the millions of dollars as in the cases mentioned above but can be just as impactful – if not more impactful – as small businesses might not have the same type of financial cushion that big companies have.

Breaches, especially preventable breaches, that result in the exposure of private data will result in a fine. Businesses have a legal responsibility to report breaches that expose individuals’ private data. That responsibility varies from state to state. At Colden Company, we work with businesses large and small to assess that risk. We have specialized technology that can proactively scan your data resources for the type of protected data that, if breached, would result in a fine. We have worked with many small businesses that have told us “no, we do not store that type of data.” A quick search of the HR person’s computer often proves otherwise.

The question we are often asked is “what steps do we need to take to prevent getting fined?” Good question. Legal documents are often vague, citing businesses must take reasonable precautions. What constitutes reasonable? And if you are breached, it is very easy for the state to say your defenses were obviously not reasonable enough or you would not have been hacked! A leading non-profit security organization, SANS Institute, has compiled a list of twenty recommended security steps that businesses can take. If you would like a copy of this list, please email us at info@coldencompany.com.

There is a balance between usability of your systems and security of your systems. Given the nature of the threats that exist, we are advocating for a tip of the scales in favor of more security. The measures your business was taking two or three years ago may not be sufficient to protect your business from today’s threats. Add on to this the increasing likelihood that a breach can result in fines, lost data, and lost customer confidence and this should prompt your business to take a second look at its security practices.

Studies have shown that preventative maintenance is far less costly than reactionary spending to a breach. The scanning technology we spoke of above is just the type of preventative measure that can protect your business. This type of scan is extremely valuable as it can point you right to where your vulnerabilities are – vulnerabilities you might not know you have. Contact us today at (888) 600-4560, email us, or visit us on Facebook or Twitter to schedule your scan.

The Importance of IT Policies

Posted on: November 23rd, 2016 by jiml | No Comments

Many businesses are operating today without documented IT policies. Most of those businesses wish they had policies in place but with the busy schedules that we all keep today, this task never seems to bubble to the top. Faced with this challenge I am reminded of a book I read many years ago called “The Seven Habits of Highly Effective People” by Stephen Covey. To paraphrase one of his habits, while most people spent their time putting out fires (quadrant one activities – urgent and important), effective people spend their time working on important things like planning that help to prevent the fires (quadrant two activities – important but not urgent). The development and updating of IT policies falls into the category of a quadrant two activity, meaning it is important but there is no immediate urgency to getting it done. If you wait too long, the day will come when a situation arises when you need or wish you had those policies in place. Dealing with that crisis becomes a quadrant one activity and not effectively managed.

Here are some valid reasons to have documented IT policies:
• Protection of the business

Let’s start with the obvious and face the facts. Today’s world has risks and cyber risks are at an all-time high. Ransomware attacks increased over 400% this year over last. The number and severity of risks are ever increasing. Having good policies can help protect the business by preventing actions that may inadvertently (or purposefully) harm the business.

• Protection of employees

Documented IT policies can also protect employees. Having a clear set of guidelines can help prevent an employee from making a mistake that costs the business. Policies can make it clear to employees what the business offers in terms of expectations, privacy and more.

• Efficiency

Do your employees know what to do when facing a malware attack? Having documented and communicated policies can help an employee react appropriately and efficiently to a scenario. Keeping unnecessary third party software off of employee computers can also help to keep them running more efficiently.

At Colden Company, we can help if your company does not have documented IT policies. Policies like:
• Internet Acceptable Use
• Mobile Device Management
• Virus Response
• Privacy Policy

We feel so strongly in the importance of these policies, we are offering our readers a 25% discount on services to develop or update these policies through the end of 2016. Keep in mind, it is important to update your policies periodically as well. Your policies must keep up with the times. One area we see businesses falling behind is in mobile device management. Do you have company information on personal devices? What is your company policy when that employee leaves? What is the procedure for protecting your information if a personal device is lost or stolen? These are concerns that should have clear, documented policies.

Call us at 888-600-4560, email us, or visit us on Facebook or Twitter.