Posts Tagged ‘security’

Modern Threats Require Modern Defenses

Posted on: June 25th, 2019 by billp | No Comments

Small businesses increasingly face the same cybersecurity risks as larger businesses but with fewer resources to protect themselves. In fact, according to the 2018 State of Cybersecurity in Small & Medium Size Businesses study by the Ponemon Institute:

  • 67% of small and medium-sized businesses have been affected by a cyberattack
  • 82% of attacks were not caught by traditional antivirus software
  • 61% of SMBs have been attacked by ransomware
  • 70% paid the ransom at an average of $1,466 per incident

Worse yet, between 2017 and 2018:

  • Data breaches are up by 4%
  • Cyberattacks are up by 6%
  • Ransomware incidents are up by 9%

We can expect these numbers to increase when the 2019 figures are tallied. The fact is that the problem is only getting worse; it’s not a matter of “if” but “when.”

The traditional concept of “antivirus software,” which arose with the first products released in 1987, started to enter obsolescence sometime early this decade. Industry leaders first began noticing the decline around 2012 when the volume of malware samples began to outstrip the ability of antivirus vendors to write new signatures to block the malware. Both the volume and sophistication of malware has continued to increase exponentially; it’s estimated that there are now 350,000 new variations of malware per day.

To make matters worse, malware and ransomware are a valuable criminal enterprise, incentivizing the cybercriminals to try harder. Aside from ransomware payments made, ransomware damages are predicted to reach $11.5 billion in 2019. Ransomware costs include damage and destruction (or loss) of data, downtime, lost productivity, post-attack disruption to the normal course of business, forensic investigation, restoration and deletion of hostage data and systems, reputational harm, and employee training in direct response to the ransomware attacks.

New threats require new solutions. Any product that attempts to protect the endpoint (desktop, laptop, etc.) in this era of vulnerability and risk can’t just target present threats – it must also be future-proof.

Enter Endpoint Detection and Response (EDR) solutions, which target malware behavior instead of identity. The number of malware behaviors is considerably smaller than the number of ways a malicious malware might look, making this approach suitable for prevention and detection.

Consider this analogy. Security professionals (e.g. soldiers, police, guards, etc.) might stop someone and ask for identification. If an ID is provided, is that it? Is any criminal with an ID guaranteed to bypass security? The answer is no. Thankfully, well-trained security professionals receive extensive training to help them spot suspicious behavior which may indicate that someone is not who they say they are.

EDR solutions are the well-trained security professional for your network, providing the following sophistication protections and many more:

  • Real-time protection for known and unknown threats
  • Protection from polymorphic and disguised threats
  • Watches processes as they run in case they “turn bad”
  • Allows quick rollback to a known good state when an attack does occur

Are you ready to have a well-trained security professional guarding your network 365x24x7? Contact the security professionals at Colden Company at 888-600-4560, email us, or visit us on Facebook or Twitter.

Putting Meltdown and Spectre in Perspective

Posted on: January 30th, 2018 by billp | No Comments

There’s recently been a lot of media attention around two vulnerabilities in computer chips. The vulnerabilities, given the ominous titles “Meltdown” and “Spectre,” exist in nearly all microprocessors made since 1995 — meaning they are found in nearly every popular business computer, home computer, and other devices such as smartphones and tablets.

One of the biggest challenges with cybersecurity is putting perspective to the severity of issues. Bugs and vulnerabilities that receive logos, names, and headlines usually result in a big – and often out-of-proportion – reaction. There’s no arguing the fact that these vulnerabilities are significant and should not be taken lightly. But, before you start to panic, the situation sounds a lot worse than it is. There is always a balance of “probability and exploitability” that businesses should consider in determining how likely they are to fall victim any cybersecurity vulnerability.

What are Meltdown and Spectre?

Both Meltdown and Spectre are hardware vulnerabilities in computer chips (microprocessors) that allow a non-privileged user to access information on the computer that they shouldn’t be able to access. While programs are typically not permitted to read data from other programs, a malicious program can exploit Meltdown and Spectre to access secrets stored in the memory of other running programs, which might include your passwords stored in a password manager or browser, your personal photos, emails, instant messages, and even business-critical documents. This is a particularly big problem for cloud services like Microsoft Azure and Amazon Web Services, where multiple “tenants” use the same physical hardware.

Meltdown and Spectre require a high degree of sophistication, time, and luck for hackers to be able to exploit. These vulnerabilities have been around for 20 years and are something that both researchers and government agencies have been aware of for at least six months, yet we haven’t heard of any active exploits in the wild.

How Do I Protect Myself?

This is where things get complicated…

All major hardware and software vendors have released patches that address Meltdown and Spectre in the weeks since the disclosure of the vulnerabilities. In the case of Microsoft, its patches for Windows require that your antivirus software to updated to ensure Meltdown/Spectre updates won’t crash your computer (users of Colden Company’s Managed Antivirus are compatible with Microsoft’s updates). Intel released – and then retracted – updates to its microcode (software that runs the processor), and Microsoft then released an emergency update to fix the problems that Intel’s buggy updates caused.

The updates can be more impactful on computers (particularly servers) running older Intel processors and/or certain workloads, where updating to mitigate Meltdown/Spectre has the potential to reduce performance between 5% and 30%. The performance impact is very dependant on what software is running on the computer. Microsoft attempted to add some clarity to the potential performance impacts in a recent blog post.

To get back to the question of how you protect yourself and your business, Colden Company recommends patching – and not panicking – as reliable patches are made available from hardware and software vendors.  Ask yourself how quickly you can reliably apply known-good and tested patches from reliable vendors, especially on critical systems.

Use the following steps to guide you down a good path to mitigating Meltdown and Spectre.

  1. Update antivirus software to ensure Meltdown/Spectre patches from Microsoft aren’t blocked.
  2. Update operating systems with relevant patches.
  3. Update hypervisor hosts, guest OSes, and cloud instances.
  4. Update system BIOS / firmware.
  5. Update web browsers where applicable.
  6. Check for updates to other applications and peripherals.

If even the above steps seem daunting, our best recommendation is to partner with experts at Colden Company to help ensure your business is protected.

Conclusion

The scope of this issue is huge. According to a survey of 500 IT professionals by IT organization Spiceworks, 70% of businesses report they continue patching despite the guidance from Intel to stop. 46% of companies have reported performance degradation, 26% are dealing with system “hangs” and freezes, and 22% are experiencing issues with computers not rebooting properly after the patches are installed. Costs from the mitigation effort also mounting for some companies. 29% of companies with more than 1,000 employees said they expect to spend more than 80 hours addressing the flaws, and 18% said they expected to spend more than $50,000.

While exploiting either Meltdown or Spectre requires a high level of sophistication, it’s still early days, and incidents that take advantage of Meltdown and Spectre will be inevitable. Laptop and desktop workstations are at the greatest risk, so make sure that you’re current with Microsoft patches as they’re released. You should be diligent about patching all systems and mobile devices. Work with your cloud providers and business partners to ensure they have a mitigation plan. Don’t worry, don’t panic, but be diligent and be sure to install patches as soon as they become available for your specific operating systems and devices.

This is a complicated topic and can quickly become overwhelming. Give the experts at Colden Company a call and let us help you protect your business against these and other cybersecurity risks. Call us at 888-600-4560, email us, or visit us on Facebook or Twitter.







Ransomware: What You Need to Know

Posted on: April 27th, 2016 by jiml | No Comments

Viruses are becoming not only increasingly sophisticated but increasingly destructive. It used to be that if you were infected with a virus or malware, you were at risk of having your files copied and perhaps accounts compromised. With the advent of ransomware, hackers have found a way to directly monetize hacking and can do much more damage than malware of the past. Here is how it works:

Ransomware is a class of malware that prevent users from accessing their data, usually by encrypting their files and holding the decryption key. The encryption is strong enough where if you have been infected, your options for getting your data back are 1) pay the ransom or 2) restore your files from backup. The malware will not only infect your computer but any connected network drives or external drives, making the malware quite devastating.

A study from BitDefender estimated that $325 million dollars in ransom has been paid over the last two years as a result of this type of malware. Paying the ransom emboldens and funds these hackers for future attacks and enhanced attacks. There are few security experts who believe the threat level will decrease in the coming years. Most believe it will continue to increase, largely funded by paid ransoms.

If you or your business does not have a solid and reliable backup system, you will be forced to consider paying the ransom as so many people and businesses before you have done. Don’t be part of the problem! Make sure you have adequate backups for your data so that you can fight back and not be a victim.

Who is at risk? Everyone who uses a computer. Even those with the latest security patches and updated anti-malware solutions can be infected. Mac user? KeRanger is a variant of ransomware specifically designed to attack your system. More recent versions of ransomware have infected users through their web browser using vulnerabilities in Adobe Flash. Early versions relied on the user to click an infected email attachment. Now a user can be on the Internet, even on reputable sites like nytimes.com, msn.com, bbc.com and many more, and become infected through compromised ads according to a recent publication from Malwarebytes.

There is a high stakes game of cat and mouse going on between the hackers and security firms. As the security firms find ways to block the malware, the hackers find ways to circumnavigate the changes. You, as the computer user, have a responsibility in this fight as well. Be aware of good security practices like “do not open email from unknown users” and “do not open attachments you are not expecting, even from known users.” It cannot be overstated that you need to ensure your data is backed up, so in the unfortunate event that you get infected, you can simply clean your system, restore your data and avoid becoming part of the problem.

Businesses should be aware that there are additional steps that can be taken to prevent these types of ransomware malware that go beyond traditional anti-malware solutions. This malware initiate the encryption from a protected area and they can be stopped with the proper precautions. We strongly recommend putting these measures into place to prevent ransomware from executing, thus saving your critical business data. There is an escalating battle going on today between hackers and security. We encourage you to proactively take part in the battle to protect your data or you may become a casualty of the battle when you least expect it.

To protect your critical business data, contact Colden Company at 888-600-4560, email us, or see us on Facebook or Twitter.







10 Steps to Creating a Disaster Recovery Plan for SMBs

Posted on: March 31st, 2016 by billp | No Comments

When we hear the word “disaster,” our minds immediately shift to major natural events such as earthquakes, flooding, hurricanes, etc. We rarely think about the smaller disasters that could cripple a small business – extended power outages, a blizzard that affects employees’ ability to get to their office, fires, etc. Most importantly, we often think of disasters as something that happens to someone else… until it happens to us.

According to the U.S. Federal Emergency Management Administration (FEMA), 43 per cent of businesses will not re-open following a major disaster. This alarming figure does not take into consideration the consequences of disasters that were not designated “major” disasters by the federal government, such as fires and power outages, which can be devastating to small and mid-sized businesses.

If you cannot get your business back online within 5 days of a disruption, the odds that your business will survive are about 10 percent. A survey of small businesses in the immediate vicinity of the World Trade Center at the time of the 1993 bombing found that of those businesses that could not resume their operations within five days, 90 per cent were out of business a year later.

Disaster recovery planning is a necessity for all small business owners. The hardest part about creating a disaster recovery plan is knowing what to do first. And, as business owners know, it is all in the execution.

To help bring some structure to the sometimes-overwhelming exercise of disaster recovery planning, we have put together a checklist to get you started, thereby enabling your good intentions to become operational. These steps will help you get started in a concrete way to help your business become safer… and more profitable!

Key #1: Understand the implications for your business.

Step 1. Start keeping a “disaster diary”.

Begin to keep a log of disruptions to your normal operations. Gathering this information is the first step to identifying recurring patterns. The idea is not to point fingers at employees who make mistakes; rather, it is to improve your processes.

Step 2. Identify potential threats to your business.

Consider the potential threats to include not only hazards arising from extreme weather but also the risks to your business’ reputation should you be unable to safeguard confidential information of your customers.

Key #2: Keep employees safe and informed.

Step 3.  Develop a plan to communicate with your employees in the event of disruption.

Organize a list of primary and secondary emergency contact information for each of your employees. As a disaster may prevent employees from returning to their homes, make sure you have alternate contact information for each employee.

Step 4. Preserve important employee records.

Your business is entrusted with certain confidential records of your employees, such as their personal identifying information and social security numbers. Work with your IT advisor to make sure the information is secure and accessible.

Key #3: Keep customers engaged and informed.

Step 5.  Develop a plan to communicate with your customers in the event of a disruption.

Consider preparing a statement that can be published on your website and social media platforms in the event of an emergency to give customers timely status updates as to what they can expect from your business and when.

Step 6. Protect sensitive customer data.

Make sure that any information of your customers (patient records if you are operating in a medical practice, financial records, trade secrets, etc.) is safe from cyber-criminals.

Key #4. Ensure continuity of operations.

Step 7.  Determine how you will operate your business remotely.

Consider which operations of your business you will be able to run should you not have access to your regular place of work. Define your business priorities by identifying your critical operations.

Step 8. Conduct periodic drills.

Test your continuity plan from time to time. It is important to keep your plan current and revise it for changes in your environment. It is equally important to verify that your employees are up-to-date on what to do in an emergency situation.

Key #5.  Address financial impact and readiness.

Step 9. Make sure your business has appropriate insurance coverage.

Verify that you have the necessary endorsements (or add-on’s) for your business, that you understand the deductibles for which you will be responsible and that you have appropriate coverage limits.

Step 10. Make sure you have access to the information you will need to file an insurance claim in a timely manner.

Have a digitized copy of your insurance policy stored in a way that you can access it in the event of an emergency. Don’t wait for an emergency to learn the procedures for filing a claim. You need to learn them now.

Key #6. Take advantage of the experts at Colden Company

Colden Company is certified by the Disaster Recovery Institute as Certified Business Continuity Professionals.  Our customers benefit from our years of experience assisting customers in preparing comprehensive business continuity, disaster recovery, and disaster avoidance plans. Our approach is a top-down approach where we examine the critical business functions first and work down to the supporting systems, hardware, and personnel.

Among the many additional services associated with disaster recovery are off-site backup or cloud backup, which we offer starting for as little as $19.00/month. We also offer complete local or cloud server recovery, also very affordable for small and mid-size business, which can have your entire business back online and working in hours instead of weeks (or longer). Do you have laptops in the field that need backup? Critical servers that need a quick recovery time? We’ll listen to your needs and provide the right solution to fit your business needs.

Colden Company is a proud Elite Partner (the highest level of partnership) of Datto, Inc. See how a Datto Backup and Disaster Recovery (BDR) device managed by Colden Company can enhance your data security and give your business true disaster recovery capabilities. At Colden Company, we have been in the BDR business for many years. See why our partnership with Datto is the BDR solution you can count on!

From process and procedures down to implementation, Colden Company is the only partner you need to keep your business in business in a time of need. Contact us today to make sure your business doesn’t become a statistic. Call us at 888-600-4560, email us, or see us on Facebook or Twitter.







The Holiday Season is Approaching. Is Your Web Site Ready?

Posted on: October 31st, 2015 by jiml | No Comments

As the holidays near there is invariable a focus on online shopping and how buyers can best protect themselves. In this months’ blog posting, we will be focusing on the ecommerce business and how they can best be prepared for the holiday online shopping season.

Make sure your website can be found

Search engine optimization (SEO) is a science but is an important component to making sure your web site is visible to the people your site is marketing to. There are many marketing organizations that will promise you that your site will be on the first page of Google searches if you contract them. Be wary. Google uses a number of metrics to determine placement and results are often accrued over time. If you want to immediately be visible, consider using Google AdWords. These are the sponsored links that you see when searching Google. We could dedicate an entire years’ worth of blog postings to Google AdWords, but the short take away is not to implement if you have not done your homework. The result could be a lot of wasted money. Know what your strategy will be before implementing, including where and when to advertise your site.

Also be sure to use accurate page descriptions when designing your web pages. This will help your site be found as Google uses this information in determining which sites to move up the list and which ones to move down. Many web developers do not take the time to fill this information out and it will affect your sites visibility. If you use a lot of product pictures, make sure they are tagged properly and have good descriptions as well.

Make your site eye-catching

There is a lot of competition out there on the Internet. Depending on which source you use, there are anywhere between half a billion and four billion web sites out there on the Internet. Customers have options for shopping. It is important to make your web site shopping experience eye-catching so that users stay and shop. Most users look at a site for a split second before deciding to stay and look around or move on. Using quality graphics is a must, use bullet points to make your text clear and readable.

Make your site easy to navigate and use

Customers want a positive experience on the web sites they use. Are your policies clear for things like returns or shipping policies? If possible have an easy to find “Chat” or “Help” button so users can get assistance if they need it. If your site does not have this, a hesitant customer will go to another website.

Use metrics

Capture as much information as you can from your customers shopping experiences. Use opt-in email for future marketing and be sure you have the ability to capture metrics for what sells and what does not, what verbiage is successful in capturing customers and what is not.

Make sure your site is secure

Security is often an afterthought for ecommerce companies. It needs to be a primary consideration. Are you using WordPress like 48% of the web sites out there? Are you aware of the vulnerabilities and do you keep your site patched? Are your plugins up to date? What do you know about the servers hosting your web site? Are you relying on someone else to understand and provide security? If so, you should realize that you are ultimately responsible for the security of your web site and the safety of your customers’ information.

Have questions? Call us at (888) 600-4560, email us, or see us on Facebook or Twitter and let our experts help your business.






Phishing Scam Du Jour

Posted on: March 31st, 2015 by jiml | No Comments

Did you know that March 31 is World Backup Day? It is designed to bring awareness to the importance of backups, especially in today’s world. It is important that your backup processes keep up with the changing times. Click here for more details about “intelligent disaster recovery”.

Our recent survey responses indicated that security was a topic of interest to our customers. For this blog posting, we would like to share some information with you from one of our security partners, Proofpoint. Proofpoint is a leading information security organization that works with organizations of many sizes and industries including many of the Fortune 500. Proofpoint Engineers keep us apprised of the latest threats so that we can better protect your business. Here is a recent email from our partner with information on some of the latest threats that you should be aware of:

Credential phishing remains a popular technique by malware campaigners, with Outlook Web Access credentials joining other webmail accounts as a frequent target. As the use of cloud-based documents becomes more and more widespread, phishing campaigners have also been leveraging this behavior as a lure for their messages, with some benefits for their credibility and effectiveness.

A recent example examined by Proofpoint researchers demonstrates the key ingredients of this kind of attack, as well as a clever innovation attackers have recently added. Google Apps credential phish are among the most common email-borne threats Proofpoint currently detects, and organizations that have adopted Google Apps for regular internal use are particularly susceptible to clicking.

In this example, rather than taking a potential victim straight to a (fake) login page, clicking the link brings up very realistic Google docs shared document landing page.

blog

The page is a perfect replica of an authentic Google page, with the exception that it is delivered via HTTP, rather than HTTPS. Failing to notice this warning sign, the recipient clicks the Download button and then sees the Google login page, again almost identical to the authentic equivalent.

blog2

For added flexibility, the malicious document also supports logins for other webmail services, such as Yahoo, Hotmail, AOL, and even an “other” option in which the victim can enter any corporate credentials. This enables the attackers to extend their reach by pulling in and leveraging a wider range of credentials.
Credential phish normally drop their ruse after the victim has submitted their credentials, but in this case the attackers follow through with the ‘login’ by displaying an actual document.

blog3

This technique reduces the risk that a user will realize right away that something was amiss and giving the attackers more time to make use of the stolen credentials. Buying even a few hours gives the attackers more than enough time to leverage the victim’s stolen credentials to deliver the next round of messages.

Another advantage of launching credential phishing campaigns from compromised Google accounts is that a relatively minor effort delivers highly believable, targeted phish thanks to the ability to scrape the victim’s Contacts list and use it to populate the list of recipients for the next step of the campaign.

A similar attack technique employs a fake Dropbox document to capture credentials for the cloud-based document-sharing service. Like the Google Apps credential phish, the login page shown to the recipient is perfectly credible:

blog4

This example was taken from the cloud-document phishing campaign of an actor that tends to prefer campaigns with more limited scope, often distributing less than three URLs across 30-50 messages per week, often targeting on 10 organizations, but in some cases as many as thirty organizations. Initially targeting organizations in the advertising and hospitality sectors then leveraging these to target businesses in the financial sector, the attacker seems to be shifting strategy of late to be less targeted and much more opportunistic. As if to underscore the relative value of this technique, scraping email addresses from the advertising and hospitality services executive accounts led – intentionally or not – to targeting executives in the financial sector in successive rounds of phishing emails.

Hacking via cloud-based document services and application accounts adds still more options to the value of a hacked email account by creating more opportunities to create campaigns that are at once more targeted, more effective, and more lucrative. Credential phishing with cloud-based documents will continue to grow in popularity as attackers leverage its advantages to stay ahead of defenses that are often still focused on well-known and easily defeated techniques.







Steps to Take for Better Personal Security

Posted on: December 30th, 2014 by jiml | No Comments

It seems like a weekly occurrence to hear about another major retailer being compromised by hackers. Home Depot, Target, P.F. Chang’s and most recently Staples – among many other retailers – have acknowledged consumers’ information has been accessed putting credit card information at risk. At Colden Company, we service business entities primarily but the question of personal security is one we are often asked, indicating the level of concern that consumers have about their personal protection. What steps can we, as consumers, take to protect ourselves as these events do not seem to be slowing down?

There are several precautions that can be taken. One step would be to begin taking advantage of services like Google Wallet or Apple Pay. These services take advantage of NFC technology and so-called “tokenized payment processing” on your smart phone and do not expose your credit card directly to the retailer. In the case of Apple Pay, even Apple doesn’t know your credit card number; your card information is securely stored on the secure element in the phone. Therefore, it is important to have a strong security on your phone, since a thief could presumably make payments using your phone if your phone is stolen. (Google Wallet allows you to deactivate your wallet in the event of theft) Apple Pay is a bit more secure than Google Wallet which is to be expected when comparing technology released in 2014 (Apple Pay) vs. 2011 (Google Wallet).

Online purchasing is very convenient and I am willing to bet at least some of your holiday purchases this year were made online. Apple Pay and Google Wallet will work with some online retailers but not all. Obviously the tap and pay feature is not usable for an online purchase. For those instances where you must use your credit card, make sure your credit card is not saved by the site. This decreases convenience but is a prudent step to protect your security. Monitor your credit card activity regularly and perhaps consider taking advantage of services like LifeLock to help protect against fraud and identity theft.

In 2015, the US will finally begin a wider rollout of Chip-and-PIN credit cards. These cards, which have a microchip in the card and require the consumer to enter a PIN and checkout, have been in wide use throughout the world and have cut many forms of card fraud by more than 65%. President Obama announced in October 2014 that cards issued by the federal government will come standard with Chip-and-PIN technology starting in January 2015, and as of October 2015, the cost for fraudulent transactions will shift from banks to merchants if the merchants have not upgraded their point-of-sale equipment to support Chip-and-PIN transactions.

Finally, a step everyone should take is to reconsider the passwords that you use. Strong passwords are a great deterrent to hackers. The problem is remembering those difficult passwords! Services like LastPass and KeePass are nice tools to help with password management and can securely manage your passwords across multiple devices. Change your passwords regularly and make them strong passwords that are not easily hacked. Conveniences like easy-to-remember passwords often put your security as risk.

There is an old saying in security circles that the only truly secure computer system is one that is powered down. The point is that there is a balance between usability and security. In the scenario above, a computer that is turned off may be secure, but there is no usability! There is no magic bullet for securing your assets. Security is done best when done is a layered approach. The more layers of security you can use, the safer you will be. With all the threats out there in the digital world today, it seems like a good time to add a few layers.

While these suggestions are directed at consumers, businesses are just as vulnerable if not more so than individuals. The layered security approach is a must for businesses as well. In need of a few extra layers this winter? Call us at (888) 600-4560 or email us at info@coldencompany.com, or see us on Facebook or Twitter to let us help protect your critical assets.







Cloud Computing and the Risks of Shadow IT

Posted on: August 29th, 2014 by billp | No Comments

We’ve written at length about the many benefits that cloud computing can bring to your business, such as lower costs, faster time-to-delivery, improved reliability, improved scalability, etc. However, with all of these benefits come risks that many businesses ignore or don’t even realize are present. The proliferation of inexpensive (or free, which can present its own set of problems) browser-based cloud services and solutions allows business users to effectively be independent of any business or IT oversight, creating what is commonly called “Shadow IT.”

Technology consulting firm PricewaterhouseCoopers (PwC), in a recently published report, stated “the culture of consumerization within the enterprise — having what you want, when you want it, the way you want it, and at the price you want it — coupled with aging technologies and outdated IT models, has propelled cloud computing into favor with business units and individual users.” The risks from shadow IT include issues with data security, transaction integrity, business continuity and regulatory compliance, technology and service (and cost) redundancies, among many other risks.

Business users often blame IT for being too rigid and slow to respond to changing business needs. IT providers – whether in-house or outsourced – are tasked with long-term IT sustainability, manageability, solution compatibility, and support; in other words, long-term, cost-effective IT strategy. Complex IT infrastructures require careful planning in order to ensure changes are well-integrated with existing systems and processes. Business users who want a solution now often skip through a lot of the due-diligence that would normally fall to the IT department, and forget to think about things such as security and proper service level agreements when looking at cloud providers.

Take, for example, Dropbox, the popular file-sharing and synchronization solution. Dropbox is extremely powerful and has a free/basic option that provides users with 2 GB of storage. A lot of business data can be stored in 2 GB! The recently-announced improvements to Dropbox Pro, the lowest-cost paid tier of service, allows users to store 1 TB of data in the cloud for $99.99/year. A departing or disgruntled employee could, with 1 TB of storage, copy most or all of your business data off-site and you’d never know it! We at Colden Company have seen many business users using the consumer-focused Dropbox Basic plan for business files, but what works for family pictures may not be the best solution for business files, opening the business to unacceptable security, legal, and financial risk.

Consider just a few of the risks something as seemingly innocuous as Dropbox file syncing can present to your business.

  • Data theft – Business owners may not know when Dropbox is installed, and are unable to control what data employees are creating on or synchronizing to personal devices (smartphones, tablets, personal computers, etc.). These personal devices exponentially increase the risk of business data falling into the wrong hands.
  • Data loss – Dropbox allows employees to create – and delete – data on the service that does not synchronize to any in-house (i.e. backed-up) source. Dropbox has some built-in backup and recovery features, but they are insufficient for most business data retention needs.
  • Law suits and compliance violations – Companies in regulated industries face a real risk of becoming non-compliant with data security and privacy obligations without even realizing it. Dropbox offers the ability for users to share data from the service with anyone and offers limited in-service file access controls for shared Dropboxes.
  • Security – Dropbox does not encrypt any locally or cloud-stored data.

While we are using Dropbox as an example, the same risks are present for many free or inexpensive cloud services that can be easily implemented without business or IT oversight. Other services that can present business exposure include data sync and sharing services such as Box, Google Drive (Docs), or Microsoft OneDrive; cloud backup services such as Carbonite, Mozy, or CrashPlan; or even business solutions that can contain critical data such as Salesforce.com, Microsoft Dynamics, or Basecamp.

The good news for business owners is that there are cost-effective alternatives to all of the above-listed services/solutions that can be managed by business owners and IT providers. By reviewing the business needs of users and working in conjunction with your IT provider, a managed, secure, and reliable solution that is well-integrated with your existing IT investments can always be identified. Whether it’s file synchronization, backup, remote data access, CRM, or any cloud solution, shadow IT will put your business at unnecessary risk.

Work with Colden Company to reduce the risk of shadow IT by allowing us to identify carefully tested, secure, and integrated solutions for your cloud service needs. Protect your existing IT investments and your business by taking control with a trusted IT advisor. Contact your trusted IT advisor at 888-600-4560, via email at info@coldencompany.com, or via Facebook or Twitter.






Cyber Security Viewed Through the Prism of Home Security

Posted on: June 30th, 2014 by jiml | No Comments

The pervasiveness of todays’ information security threats requires constant attention. It is important to your business that it is getting that attention. Many businesses leaders take their chances by ignoring the threat, too busy with other tasks. Others absolve themselves from responsibility by outsourcing the issue to their local IT firm or in house IT staff. This is a mistake. The security of the businesses data is the responsibility of the business leaders. It is important to be educated on the threats and what can be done to provide protection.

Home security can offer many analogies to help make sense of the jargon that often makes cyber security so confusing. Let’s start with anti-virus. When their anti-virus engine pops up an alert, we often hear from users saying “Why do I have a virus on my machine? I have anti-virus.” The analogy to home security is blaming your alarm system for going off when an intruder breaks into your home. Anti-virus works like the alarm system. Its job is to detect threats; it cannot stop those threats from trying to attack you. As important as the alarm system is, you can see that it should not be the only line of defense. After all, it is detecting the breach after it occurs. This is why we recommend a layered approach to information security.

Another layer might be putting a fence around your home, or in cyber security having a firewall in place. That fence can help prevent attackers from getting to your home and valuables much in the same manner a firewall will keep hackers away from your data. If your fence is completely impenetrable, then you will be stuck in your house and never able to leave your yard (not very practical). Our solution may be to put a gate at the front of the house so we can exit the fence and conduct our daily business. In the same manner, firewalls must have open ports (think doors or gates) to allow your daily business to be performed. Hackers are not unaware of this and will look to those common places to have an open gate to attack your business. We need more layers.

One tactic we might take is to put signs out front of our residence stating “BEWARE OF DOG” or “Protected by ADT” for example. We may also want to educate the kids in the house not to answer the door or give out your home address to strangers. This is akin to having good information security policies in your business, which is an often overlooked aspect of security. It is important to have those policies in writing and to review them periodically and make sure your employees understand and abide by them.

We might also consider taking some of our valuables to the bank to be stored in a safety deposit box. By doing so, we are transferring the responsibility for protection to the bank and away from your home. This is analogous to implementing a cloud service to store critical data for you. Even if your business is compromised, your data will be safely stored with a cloud vendor. You can see the importance of vetting the bank or cloud vendor and ensuring the security practices they use are sufficient for your data.

Next, we may want to take proactive steps to ensure that our kids are not affiliating with the boy down the street who was just released from juvenile detention for grand theft. You may not only instruct your kids to hang out with other kids instead but also take the measure of blocking the phone number so prevent your son or daughter from succumbing to the urge to communicate with a bad apple. In cyber security, this is much the same as implementing a content filtering solution. Content filtering allows the business to set rules for what web traffic is acceptable and what is not. We find many businesses are reluctant to implement content filtering out of fear of upsetting employees who enjoy the perk of being able to update their Facebook status from work. I ask those decision makers if they would feel the same way if that policy led to a security breach that cost the business money. Work computers are meant to provide benefit to the business. To appease those in the above scenario, many content filtering solutions can offer windows of time, perhaps lunch hour, when restrictions are relaxed. Lastly, one of the additional benefits to content filtering is preventing users from accidentally going to web sites that may be infected or inappropriate. In many cases, users are not trying to contract viruses, but mistakenly click on a link or go to a site that is not what they intended. Content filtering can help prevent those accidental security threats.

Finally, if you are living in a dangerous neighborhood, you might consider installing cameras to watch over your home and monitor activity. Managed services can provide that same service. Many businesses are completely unaware that they are being targeted by hackers. It is safe to assume that, at some point in time, your business has been targeted. Monitoring and managed services provide detection so that you are aware of the attempted breaches and can respond accordingly. As a managed service provider we see these attempted hacks much more frequently than you may realize. This type of protection is valuable if you are living in a dangerous neighborhood. Rest assured, in terms of the cyber world, you are indeed living in a very dangerous neighborhood.

Need to review your cyber security? Contact us at Colden Company at (888) 600-4560, at info@coldencompany.com or see us on Facebook or Twitter (@coldenco) as well.







It’s a New Year!

Posted on: January 1st, 2014 by jiml | No Comments

Happy New Year to everyone from the team at Colden Company! We wish you all a healthy and prosperous 2014. Last year at this time, we wrote a blog posting about how 2013 could be the year of the cloud for many of our customers.  Certainly we saw activity in that direction and we see continued movement toward cloud-based applications.  One of the unanticipated stories of the year was the NSA spying scandal and how our very own government has been spying on us and most of our largest cloud vendors like Google, Microsoft and many more.

Computerworld – U.S. cloud firms face backlash from NSA spy programs

These revelations made many who were considering the cloud to ask the question “How secure is my data in the cloud?”  The answer to that is not as simple as we once thought. It is now clear that our government has the ability to hack very high levels of encryption.

NY Times – N.S.A. Able to Foil Basic Safeguards of Privacy on Web

Many cloud solutions can offer higher levels of security than businesses can afford to provide themselves.  On the flip side of that coin, large hosting providers are more likely to be targeted by hackers or governments.  Hence they are bound to be targeted by more sophisticated attacks by the law of averages.  Does that make your data safer or less safe in the cloud?

The answer is, of course, it depends on what you are comparing it to. How secure is your internal infrastructure should you choose an on-premise solution? What are the costs of bringing the internal security up to a sufficient level to be comparable?  The answer to these questions can push a business in one direction or another.  Of course, there are other considerations besides security to base a decision on.  Usability, manageability, disaster recovery, feature sets, and application integration are all notable factors that can greatly impact the final decision to use the cloud or not. All are topics we could spend time discussing, but will defer to another date in favor of a discussion on cloud security.

There are new security questions to ask when considering the cloud as a place to store our important data.  “Who do we want to protect our data from?” is now a legitimate question to ask. The thought that we have to protect our data from our own government’s spying is a terrible affront to our rights but a topic for another forum.  From a technology perspective, we want to protect our data from our competition, hackers, and in general anyone who should not have access to it.  As we mentioned previously, cloud solutions are a double-edged sword and proper vetting of your cloud vendors is a must. Not all vendor solutions are equal in terms of functionality let alone security.  The next logical question is “What data are we protecting?”  Are we protecting sensitive data like credit card numbers, social security numbers, financial or health information?  Those protecting what we would term as “sensitive information” need to take extra precautions with that data.  The type of data is a factor in determining the required levels of data security. Also consider that there is a big difference between protecting data “in-transit” versus protecting stored data. Data in-transit is more susceptible to wiretapping such as that used by the NSA as opposed to stored data, exposure of which would require a direct attack on the data centers of hosting or service providers.

Colden Company is still a proponent of certain cloud solutions and the NSA scandal has not changed our view. The cloud is not going away, nor is it for everyone.  Each business brings a unique set of circumstances, and while security of your data is a discussion to have, it is far from the only discussion. The important thing is to have the discussion. The best decisions are informed ones. If 2013 was the year of the cloud, let’s make 2014 the year of security!

Need help getting the conversation to the secure cloud started or finding a solution to secure your data – no matter where it resides?  Call on us at Colden Company today.  We can be reached at (888) 600-4560 or at info@coldencompany.com.   Like us on Facebook and follow us on Twitter (@coldenco) as well!  Happy New Year All!