Author: J Ellis

A 6-Step Framework for Vulnerability Assessment

Posted on | by J Ellis | Leave a Comment on A 6-Step Framework for Vulnerability Assessment

Technology vulnerabilities are weaknesses in the code that can be exploited by hackers when new software updates or hardware releases come out. As technology advances and companies create new products and services, their security measures don’t always keep up with the innovations. Hackers take advantage of these flaws in the system, in cycles with each new update.

It’s estimated that about 93% of corporate networks are susceptible to being hacked. Assessing and managing these network weaknesses isn’t always a priority for organizations. As a result, many suffer breaches because of poor vulnerability management.

61% of security vulnerabilities in corporate networks are over 5 years old. 

Many types of attacks take advantage of vulnerabilities that have not been fixed. This includes ransomware attacks, account takeover, and other common cyberattacks.

Whenever you see the term “exploit” when reading about a data breach, that’s an exploit of a vulnerability. Bad actors take advantage of these “loopholes.” They can then access systems with , Or to run system commands or perform other dangerous network intrusions.

Putting together an effective vulnerability management process can reduce your risk. It doesn’t have to be complicated. Just follow the steps we’ve outlined below to get started.

Vulnerability Management Process

Step 1. Identify Your Assets

First, you need to identify all the devices and software that you will need to assess. You’ll want to include all devices that connect to your network, including:

  • Computers
  • Smartphones
  • Tablets
  • IoT devices
  • Servers
  • Cloud services

Vulnerabilities can appear in many places. For instance, the code for an operating system, a cloud platform, software, or firmware.  So, you’ll want a full inventory of all systems and endpoints in your network.

This is an important first step, so you will know what you need to include in the scope of your assessment.

Step 2: Perform a Vulnerability Assessment

Next will be performing a vulnerability assessment. This is usually done by an IT professional using assessment software. One of the assessments if conducted through penetration testing.

During the assessment, the professional scans your systems for any known vulnerabilities. The assessment tool matches found software versions against vulnerability databases. 

For example, a database may note that a version of Microsoft Exchange has a vulnerability. If it detects that you have a server running that same version, it will note it as a found weakness in your security.

Step 3: Prioritize Vulnerabilities by Threat Level

The assessment results provide a roadmap for mitigating network vulnerabilities. There will usually be several, and not all are as severe as others. You will next need to rank which ones to address first.

At the top of the list should be those experts consider severe. Many vulnerability assessment tools will use the Common Vulnerability Scoring System (CVSS). This categorizes vulnerabilities with a rating score from low to critical severity.

In addition, you’ll also want to rank vulnerabilities by your own business needs. If a software is only used occasionally on one device, you may consider it a lower priority to address. On the other hand, a vulnerability in software used on all employee devices, you may rank as a high priority.

Step 4: Remediate Vulnerabilities

Remediate vulnerabilities according to the prioritized list. Remediation often means applying an issued update or security patch. But it may also mean upgrading hardware that may be too old for you to update.

Another form of remediation may be ringfencing. This is when you “wall off” an application or device from others in the network. A company may do this if a scan turns up a vulnerability for which a patch does not yet exist.

Increasing advanced threat protection settings in your network can also help. Once you’ve remediated the weaknesses, you should confirm the fixes.

Step 5: Document Activities

It’s important to document the vulnerability assessment and management process. This is vital both for cybersecurity needs and compliance. 

You’ll want to document when you performed the last vulnerability assessment.  Then document all the steps taken to remediate each vulnerability. Keeping these logs will be vital in the case of a future breach. They also can inform the next vulnerability assessment.

Step 6. Schedule Your Next Vulnerability Assessment Scan

Once you go through a round of vulnerability assessment and mitigation, you’re not done. Vulnerability management is an ongoing process.

In 2022, there were over 22,500 new vulnerabilities documented. Developers continue to update their software continuously. Each of those updates can introduce new vulnerabilities into your network.

It’s a best practice to have a schedule for regular vulnerability assessments. The cycle of assessment, prioritization, mitigation, and documentation should be ongoing. This fortifies your network against cyberattacks. It removes one of the main enablers of hackers.  

Get Started with a Vulnerability Assessment

Take the first step towards effective vulnerability management. We can help you fortify your network against attacks. Give us a call today to schedule a vulnerability assessment to get started.

Article used with permission from The Technology Press. 

Data Backup? Nice! How about Data Protection?

Posted on | by J Ellis | Leave a Comment on Data Backup? Nice! How about Data Protection?
data security

The need to back up data has been around since floppy disks. Data loss happens due to viruses, hard drive crashes, and other mishaps. Most people using any type of technology have experienced data loss at least once.

There are about 140,000 hard drive crashes in the US weekly. Every five years, 20% of SMBs suffer data loss due to a major disaster. This has helped to drive a robust cloud backup market that continues to grow.

But one thing that’s changed with data backup in the last few years is security. Simply backing up data so you don’t lose it, isn’t enough anymore. Backing up has morphed into data protection.

What does this mean?

It means that backups need more cybersecurity protection. They face threats such as sleeper ransomware and supply chain attacks. Cloud-based backup has the benefit of being convenient, accessible, and effective. But there is also a need for certain security considerations with an online service.

Companies need to consider data protection when planning a backup and recovery strategy. The tools used need to protect against the growing number of threats.

Some of the modern threats to data backups include:

  • Data Center Outage: The “cloud” basically means data on a server. That server is internet accessible. Those servers can crash. Data centers holding the servers can also have outages.
  • Sleeper Ransomware: This type of ransomware stays silent after infecting a device. The goal is to have it infect all backups. Then, when it’s activated, the victim doesn’t have a clean backup to restore.
  • Supply Chain Attacks: Supply chain attacks have been growing. They include attacks on cloud vendors that companies use. Those vendors suffer a cyberattack that then spreads throughout their clients.
  • Misconfiguration: Misconfiguration of security settings can be a problem. It can allow attackers to gain access to cloud storage. Those attackers can then download and delete files as they like.

What to Look for in a Data Protection Backup System

Just backing up data isn’t enough. You need to make sure the application you use provides adequate data protection. Here are some of the things to look for when reviewing a backup solution.

Ransomware Prevention

Ransomware can spread throughout a network to infect any data that exists. This includes data on computers, servers, and mobile devices. It also includes data in cloud platforms syncing with those devices.

95% of ransomware attacks also try to infect data backup systems.

It’s important that any data backup solution you use have protection from ransomware. This type of feature restricts automated file changes that can happen to documents.

Continuous Data Protection

Continuous data protection is a feature that will back up files as users make changes. This differs from systems that back up on a schedule, such as once per day.

Continuous data protection ensures that the system captures the latest file changes. This mitigates data loss that can occur if a system crashes before the next backup. With the speed of data generation these days, losing a day’s worth of data can be very costly.

Threat Identification

Data protection incorporates proactive measures to protect files. Look for threat identification functions in a backup service. Threat identification is a type of malware and virus prevention tool. 

It looks for malware in new and existing backups. This helps stop sleeper ransomware and similar malware from infecting all backups.

Zero-Trust Tactics

Cybersecurity professionals around the world promote zero-trust security measures. This includes measures such as multi-factor authentication and application safelisting.

A zero-trust approach holds that all users and applications need ongoing authentication. So, just because a user is logged into the system today, doesn’t mean they are completely trusted.

Some of the zero-trust features to look for include:

  • Multi-factor authentication
  • Distinct file and folder permissions
  • Contextual authentication
  • Verification of permissions for file changes

Backup Redundancy

If you back up to a USB drive or CD, you have one copy of those files. If something happens to that copy, you could experience data loss.

Cloud backup providers should have backup redundancy in place. This means that the server holding your data mirrors that data to another server. This prevents data loss in the case of a server crash, natural disaster, or cyberattack.

Air Gapping for More Sensitive Data

Air gapping is a system that keeps a copy of your data offline or separated in another way. This would entail making a second backup copy of your data. Then, putting it on another server. A server disconnected from external sources. 

This is a feature that you may want to seek out if you deal with highly sensitive data. It helps to ensure that you have at least one other copy of your backup. A copy walled off from common internet-based attacks. 

Need Help With Secure Backup & Data Protection Solutions?

Have you updated your backup process for today’s threats? Give us a call today to schedule a chat about data backup and protection. 

Article used with permission from The Technology Press. 

Simple Setup Checklist for Microsoft Teams

Posted on | by J Ellis | Leave a Comment on Simple Setup Checklist for Microsoft Teams

Microsoft Teams is a lot of things. It’s a video conferencing tool, a team messaging channel, and a tool for in-app co-authoring, just to name a few. During the pandemic, the popularity of Teams skyrocketed. 

User numbers for MS Teams jumped from 20 million in November 2019 to 75 million in April 2020. As of this year, Microsoft reports a user count of 270 million for the platform. This makes it the most popular business tool for team communications.  

But one of the things that makes the app popular is also one that can make the setup complex. Microsoft Teams has many moving parts, but to use them effectively they need to be well organized. Additionally, users need to have a chance to learn the system and train on best practices. 

What Can Microsoft Teams Do?

First, let’s look at the different areas of Microsoft Teams and what it can do. Then, we’ll give you a simple setup checklist to help your team get up and running productively. 

You can think of Teams as a virtual office in the cloud. It’s a centralized hub where teams can communicate, collaborate, and manage tasks. There is also an external communication component to Teams. You can use the app to video conference with anyone. You can also invite guests to a chat channel. 

Here are some of the features of MS Teams: 

  • Siloed chat channels 
  • Security for team communications 
  • Integration with Office apps 
  • Integration with 3rd party apps 
  • File sharing 
  • Video and audio conferencing 
  • VoIP phone system (with an extra add-on) 
  • Keep all team resources in a single place

Microsoft Teams Versions

Some good news for small businesses is that there is a free version of Microsoft Teams. If you sign up for a Microsoft 365 business plan, you get the app included, but with a few more features. 

Microsoft has also been pushing MS Teams for personal use. So, you can use it to keep your departments better coordinated at work. Or to manage family video calls or PTA meeting collaboration. It’s a versatile and scalable virtual office platform. 

Easy Checklist for Setting Up Microsoft Teams

1. Set Up Your Teams/Departments

One of the advantages of Teams is that it allows you to set up specific areas for your groups to collaborate. You do not want everyone to set these teams up on their own, or you could end up with an unorganized mess. 

Some ideas for setting these up: 

  • Set up teams by department (accounting, marketing, etc.) 
  • Add a company-wide team (where everyone can collaborate) 
  • Set up teams by role (office managers, executives, etc.) 

Typically, if you mirror the hierarchy of your organization, that’s a good place to start. Team areas are secured so only those users invited can see or access any of the content in that team. 

 

2. Add Team Members

For each team, add the members allowed to take part in that team. These would be people that can see the resources posted in that team area. It would normally be the members of the department or group that the team is designed for.  

3. Set Up Team Channels

The next level beneath the Team is the Channels. These team channels help organize conversations. For example, within a team set up for your marketing department, you may decide to add three channels. This keeps conversations more focused and makes it easier to find things. 

For instance, you could have channels for: 

  • Website Management 
  • Social Media 
  • Offline Advertising 

Team channels are another area that you want to control. Don’t let everyone set up channels without a plan, otherwise, things get messy fast. 

4. Set Up Team Labs

Tabs are a great way to foster productivity. Say that employees on your accounting team need to access a tax reporting website. Inevitably, there can be time wasted asking for that link or a login. This is especially true if someone is filling in for a co-worker. 

You can add that website link and info to the Tabs area at the top of the team channels. Just click the plus sign to add a new resource and consolidate things for your team members. 

5. Schedule MS Teams Training

One of the reasons that company initiatives fail is that users weren’t properly enabled. If users aren’t trained on using MS Teams, then they’ll revert to using whatever they used before. This negates the benefits of moving to Teams when not everyone is onboard. 

Work with a Microsoft professional to train your teams. We can provide tips on the most productive features. As well as short-cut their learning curve quite a bit! Make sure to have a realistic timeframe. You should also survey users on whether they feel they need more training.  

Need Some Help Implementing Teams in Your Organization?

We can help you over many of the roadblocks that organizations face when starting with Teams. Contact us today for a free consultation to enhance your collaboration and productivity. 

 

Article used with permission from The Technology Press.  

What to Include in a Year-end IT Review

Posted on | by J Ellis | Leave a Comment on What to Include in a Year-end IT Review
end of year checklist

When the year is coming to a close, it’s the perfect time to plan for the future. Most businesses begin the year with the hope of growing and improving operations. Much of how a business operates depends on technology. So, it makes sense to look to your IT for areas of optimization. 

A year-end technology review provides an opportunity to look at several areas of your IT. The goal is to take time to focus on improvements you can make to boost your bottom line. As well as what tactics to take to reduce the risk of a costly cyberattack. 

A recent study by Deloitte looked at digitally advanced small businesses. Small businesses that make smart use of technology are well ahead of their peers. Here are some of the ways they excel: 

  • Earn 2x more revenue per employee 
  • Experience year-over-year revenue growth nearly 4x as high   
  • Had an average employee growth rate over 6x as high 

The bottom line is that companies that use technology well, do better. They are also more secure. According to IBM, businesses that have an incident response plan reduce the costs of a data breach by 61%. Using security AI and automation can lower costs by 70%. 

This year-end, take some time to do a technology review with your internal IT team or have BDS assist you. This will set you up for success and security in the coming year. 

Considerations When Reviewing Your Technology at Year-End

The goal of a year-end technology review is to look at all areas of your IT infrastructure. Security, efficiency, and bottom-line considerations will be the key drivers for future initiatives. 

Technology Policies 

When technology policies get outdated, people stop following them. Review all your policies to see if any of them need updating to reflect new conditions. For example, if you now have some staff working from home, make sure your device use policy reflects this. 

When you update policies, let your employees know. This gives them a refresher on important information. They may have forgotten certain things since onboarding. 

Disaster Recovery Planning

When is the last time your company did an incident response drill? Is there a list of steps for employees to follow in the case of a natural disaster or cyberattack? 

Take time to look at disaster recovery planning for the new year. You should also put dates in place for preparedness drills and training in the coming months. 

IT Issues & Pain Points

You don’t want to go through a big IT upgrade without considering employee pain points. Otherwise, you might miss some golden opportunities to improve staff productivity and wellbeing. 

Survey your employees on how they use technology. Ask questions about their favorite and least favorite apps. Ask what struggles they face. Let them tell you how they feel technology could improve to make their jobs better. This, in turn, benefits your business. It can also help you target the most impactful improvements. 

Privileged Access & Orphaned Accounts

Do an audit of your privileged accounts as part of your year-end review. Over time, permissions can be misappropriated. This leaves your network at a higher risk of a major attack. 

You should ensure that only those that need them have admin-level permissions. The fewer privileged accounts you have in your business tools, the lower your risk. Compromised privileged accounts password open the door to major damage. 

While going through your accounts, also look for orphaned accounts. You need to close these because they’re no longer used. Leaving them active poses a security risk. 

IT Upgrade & Transformation Plans for the New Year

If you make IT upgrades and decisions “on the fly” it can come back to bite you. It’s best to plan out a strategy ahead of time, so you can upgrade in an organized way. 

Have a vulnerability assessment performed. This gives you a list of potential problems your company should address. Eliminating vulnerabilities improves your cybersecurity. Planning ahead allows you to budget for your upgrades and avoid unplanned expenses. 

Cloud Use & Shadow IT

Review your use of cloud applications. Are certain apps hardly used? Do you have redundancies in your cloud environment? A review can help you cut waste and save money. 

Also, look for uses of shadow IT by employees. These are cloud applications that are being used for work but did not go through approval. Management may not even be aware of them. Remove this security risk by either closing the accounts or officially approving them. 

Customer-Facing Technology

Don’t forget to look at the customer experience of your technology infrastructure. Go through your website and contact process as a customer would. 

If you get frustrated by things like site navigation, then your customers and leads may be too. Include optimizations to your customer-facing technology in your new year plans. 

Schedule a Technology & Security Assessment Today!

We can help you with a thorough review of your technology environment to give you a roadmap for tomorrow. Contact us today for a free consultation. 

 

Article used with permission from The Technology Press.  

Posted in IT