Why classify data All large organizations today, from corporations to universities, health care organizations, and nonprofit membership organizations, routinely practice data classification. Why? Data classification is the indispensable first step in ascertaining the required levels of security. The status of the data, as we will discuss, dictates the level of security. Why? Most organizations have requirements for data security imposed by governments, business groups, and associations. These requirements range from individual privacy and confidentiality to the highest levels of national security. Organizations face consequences that they categorize from “compromising,” to “seriously compromising,” to “catastrophic” when certain data security is breached. Think of the national news stories on the “catastrophic” breach of customer data security at Verizon. All employees require access to data and the easier the access the better. But not all employees require access to legally private, confidential, or proprietary data. Managing access to information is much simpler and cheaper if “public data”?the lowest level of data classification?is segregated from data at higher security levels. It costs money to keep data systems secure?and that should not include public data. The first step, then, is classification.  And the first decision to be made by a business is what classifications are relevant to the business. Let’s look at a classification system that is “classic,” but nevertheless does the job for even larger organizations. Each classification implies that the data in the class will require a different level of security. These are three data “sensitivity” levels or categories: Restricted Data (the highest level of security). This means that unauthorized disclosure, alteration, or destruction of this information could put your business at significant risk. For some organizations, this category includes, for example, data protected by state or federal privacy regulations. Or data protected by industry, association, or other confidentiality agreements. Private data (middle level). This means that unauthorized disclosure, alteration, or destruction of the data could result in a moderate level of risk to the business. In this category goes all data that is not restricted but not “public”?and thus essentially requiring no security. Public data (the lowest level). This means that unauthorized disclosure, alteration, or destruction of the data would present little or no risk to the business. Examples of public data might be press releases, catalogs, public announcements, and such. The only concern for a business’s public data is that the stored data not be deleted or destroyed. In many organizations, an employee (or a department in large organizations) is assigned responsibility for classifying data and protecting it with the requisite levels of security. This is sometimes called the “data steward,” but, whatever the title, the responsibility of the position is for the “life cycle” of the information. That means responsibility for the data from the time the business acquires it, through its applications to the business, to the end of the period of its usefulness when it is discarded. Making data classification work The two challenges to data classification and data security are reviewing and classifying large and constant influxes of new information and maintaining security of the classified information at appropriate levels. Computer data security at various levels is a well-develop specialty.  Here, we will focus on the specifics of data classification. Given the three broad classifications, and the need to associate all data with one of those […]

  Benefits of BYOD First, let’s dive into the pros of integrating employee devices into your workflow. BYOD is most appealing to startups and small to medium businesses that do not have warehouses of spare equipment or large budget margins. In most cases, your employees already own devices that are up to the job and many even prefer to use their personal, familiar, devices for work and personal means. Accelerated Mobility For companies that are expanding, mobility is key. Working through mobile devices gives you the opportunity to work in and out of the office, hire remote employees and allow telecommuting, and stay location-flexible. By encouraging your employees to work with their own devices, your company gains this mobility much sooner than if you were budgeting (and sometimes shipping) company devices. Lowered Hardware Cost Speaking of budgeting, a unified set of company devices is a considerable investment. Many companies completely side-step this expense by inviting employees to use their own devices. Because most professionals have smartphones and other devices already, there’s no need to invest in a rack of company devices that would only have employees carrying two phones. Increased Productivity Employees often use their phones for work on the side. By enacting BYOD policies and helping your employees configure and use their devices for work, you can increase the office’s natural productivity. A good set of BYOD policies let employees know they are welcome to use devices and make them more efficient when device-use is appropriate. Employee Device Comfort Finally, employees are generally more comfortable and independently efficient with their own personal devices. They are familiar with the interfaces, app collection, and how to quickly take care of tasks on their own devices.    Considerations of BYOD Policies If the benefits of a BYOD policy align with your business needs, then it’s time to consider logistics and implementation. BYOD, like any policy, has strengths and weaknesses to account for as you move forward. Employee Device Ownership The first consideration is that you can’t guarantee that every employee will have a sufficient mobile device. While it’s rare, not everyone owns a smart phone, a tablet, or a laptop. Most people have at least one, but you can’t necessarily require employees to buy a device or hire based on device ownership. It’s important to remember this when planning to implement BYOD policies.   Lack of Standardization Next, consider that not all employee devices will be the same. You will inevitably have devices of several brands, operating systems, and software configurations. Any operations that require devices to be the same, or similarly configured, are likely to fail. But if you don’t need homogenous devices, BYOD is quite effective. Conflicting Operating Systems In any BYOD office it is almost inevitable that there will be both Android and Apple phones. There may even be a few smaller-brand alternatives. The trouble is that different operating systems do not work with the same apps. You will need two versions of every app and function and a way to unify functionality between operating systems.  Unsynchronized Software Another concern is control and synchronization of software. From phone firewalls to accessing your work databases through a custom app, BYOD is more challenging to coordinate on a software level than company devices.   Reduced Security Employee-owned devices are also more challenging to keep secure. Data security is quite porous with most personal […]

  The Anatomy Of Social Engineering Attacks “Social engineering attacks” refers to tricking people into giving up sensitive information or access to systems. In many cases, social engineering attacks are far more successful than traditional hacking techniques because they exploit human weaknesses instead of technical vulnerabilities. This is because while more organizations are aware of the numerous threats posed by hacking, they’ve mostly upgraded their systems ? i.e., the technical aspect, and forgotten about the key and most vulnerable factor, humans?the most crucial cog in any enterprise or organization. Unlike computer hardware/software, humans have emotions that greatly influence their actions. For instance, a policy may prohibit downloading or opening attachments on company computers.  However, the urge to follow instructions from superiors may compel junior staff to download an attachment, even when they know organizational policy. In most cases, there’s the fear of being reprimanded for insubordination or the assumption that superiors know better and that their instructions/orders override standing policy. This is the gap/weakness attackers know and exploit. Attackers often use various forms of deception to gain their victim’s trust. They may pose as a customer service representative, for example, or pretend to be someone from the victim’s company. Once they’ve gained sufficient trust, they can start collecting sensitive information or gain access to an organization’s systems. Whereas soft-handed tactics have been the norm, attackers are getting bolder. They may employ brutal tactics like blackmail to force or manipulate victims into providing information or granting access to an organization’s systems.  All types of social engineering attacks share one common goal: trick or manipulate victims into knowingly or unknowingly revealing information or granting access that they would not typically give. Types Of Social Engineering Attacks They can broadly be categorized into four main types: Phishing attacks Vishing attacks Smishing attacks Impersonation attacks Each type of attack has its unique characteristics. Still, all are designed to trick victims into providing compromising information or carrying out an action that would grant the attacker access to an organization’s data or systems. Phishing attacks are the most prevalent social engineering attacks. They typically involve attackers sending out mass emails that look like they’re from a legitimate company or organization. Such emails usually contain malicious links that direct victims to login into what they believe are genuine sites, but in essence, the code would direct their login credentials to the attacker’s server.  Vishing attacks are similar to phishing attacks, but instead of using email, attackers will use phone calls to try and trick victims. They might pose as a customer service representative from a bank, credit card company, or IT support firm associated with the victim’s organization. Smishing attacks are social engineering attacks that use text messages instead of email. The ploy is that the message is from a trusted organization like a bank or government agency, and they usually contain a link that leads to a fake website. Impersonation attacks are more targeted than phishing or smishing attacks. In these attacks, attackers will pose as a trusted individual, like a co-worker or friend, and try to manipulate the victim into divulging privileged information or carrying out an action, i.e., clicking on a malicious link. Similarly, attackers may disguise themselves as IT support staff or maintenance crew to gain physical access to a company’s systems.   […]

What Used to Be: Break-Fix IT Businesses that struggle with technology management often cite a lack of resources or a lack of time as the cause. They might not have the funds to hire an in-house IT department or even a dedicated technician, and even if they do, they might not have the time to spend with general upkeep or the implementation of new solutions. And when general maintenance doesn?t happen, downtime is inevitable. It used to be the case that businesses would wait until their technology broke down and created downtime before problems were addressed, simply because it was not feasible for them to address them beforehand. The downtime caused by break-fix IT is staggering and unnecessary. Instead, you can opt for the preventative and proactive nature of managed IT services, which ultimately saves your organization time and money that it would normally be spending on recovering from problems like hardware failure or security breaches. What Should Be: Managed IT Services The rise of the managed service model has allowed organizations to take advantage of technology management and maintenance services that were previously unavailable to them. Essentially, a managed service provider and a business will work together to establish a service level agreement. This service agreement determines what the MSP is responsible for, how much they are compensated for their services, and the timeline expected for services rendered. Basically, a managed IT provider can do just about anything you would expect an in-house IT department to do, but instead of paying multiple salaries, you pay a monthly fee. Managed IT services can be used even if your business already has an established in-house IT department. If you ask anyone on your IT staff if they could use an extra pair of hands or someone to help out with their various tasks, they would probably thank you for thinking to ask them about it. Long story short, IT maintenance and management is an involved process with many moving parts, and it?s likely that even the most accomplished IT administrator is overwhelmed with work. You can make their life easier by bringing a managed service provider on board for routine maintenance or upkeep, if nothing else. White Mountain IT Services can help you get started with managed IT services by providing a comprehensive network audit to help you determine where our services can be best utilized. With this type of information at your disposal, you can then make educated decisions about the future of your technology infrastructure. To learn more about what we can do for your business, reach out to us at (603) 889-0800.

For quite some time, managed IT services have been the answer to many small and mid-sized businesses? attempts at keeping their operational downtime to a minimum. Today, we will go through some of the most valuable parts of utilizing managed services and how the value you get from it goes beyond just capital cost.  More Uptime One of the biggest benefits of utilizing managed IT services is the boost in technology uptime your business will see. Any business owner understands just how costly downtime can be. Not only is nothing getting done, but if you have to wait for your technology to get fixed before normal business resumes, you are looking at quite a spell without meaningful productivity.  The managed service provider (MSP) can do quite a few things designed to keep your technology working for you, the most important of which is to monitor and manage all of your essential hardware. This service brings value by having certified and knowledgeable technicians use state-of-the-art technology that provides a look into the effectiveness of all of your business? technology. With their training and tools, they can adjust your technology if it is running inefficiently and therefore provide your organization with optimally-running technology. By fixing issues before they can become downtime-causing problems, your business? technology runs better and gives your employees the reliable tools they need to maximize their own productivity.  Better Security If you are a frequent reader of this blog, you know that cybercrime is a big deal and has to be a major consideration for any business that relies on IT. Our technicians not only are versed in the myriad of threats that a business like yours faces, we also work with other New Hampshire businesses to impart our knowledge on how to steer their business clear of those threats. This perspective is indispensable when it comes to keeping your business? technology free from threats. To accomplish this ever-growing task of maintaining cybersecurity, we employ several strategies. The first is to completely assess your network and infrastructure for possible vulnerabilities. We then deploy cutting-edge software that can help us stay on top of the network traffic by comprehensively monitoring it. Beyond that, we ensure that all software, including the security software you need, is patched and up-to-date with the latest threat definitions. Finally, we have quarterly business reviews in which we outline how your business is doing in terms of cybersecurity and what you can do better to protect your resources. This includes expanding your employee training regimen, undertaking penetration testing to find vulnerabilities in your network and infrastructure, and deploying new tools designed to keep your business safe from cyberthreats.  Establishing Continuity One of the most underappreciated values that an MSP can bring to your company is in the way your business bounces back after operational problems. One of the first things an MSP can provide for your business is a comprehensive data backup and recovery service. This effectively backs up all of your business? applications and data, clearing the way for you to restore these systems if they are to be corrupted or taken down at some point. There are a lot of threats out there that can derail a business? ability to conduct business, and the MSP provides tools and resources to mitigate long outages.  Getting your […]